wannacry | b91ed11287b405a98863214b19ba8bee0134715aca985d0fd6cb1765aa8c50e3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d2daf069b36656688ef15b656ce9fd1.dll
Size

5.0MB
MD5

2d2daf069b36656688ef15b656ce9fd1
SHA1

04901d6c4a4d3cde87da7d70d3c32850dfed593c
SHA256

b91ed11287b405a98863214b19ba8bee0134715aca985d0fd6cb1765aa8c50e3
SHA512

89c64b66d92ddc6c527e62bb599e06039eb96917d997d7aefc0d5df2316dcaa0f22f07ec31ca64a7440cb094ccd9e06d2b9d691146895f4c71f2a074400d9475

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3247) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

952 mssecsvc.exe
2352 mssecsvc.exe
3984 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
952	mssecsvc.exe
2352	mssecsvc.exe
3984	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5116 wrote to memory of 4904	5116	rundll32.exe	rundll32.exe
PID 5116 wrote to memory of 4904	5116	rundll32.exe	rundll32.exe
PID 5116 wrote to memory of 4904	5116	rundll32.exe	rundll32.exe
PID 4904 wrote to memory of 952	4904	rundll32.exe	mssecsvc.exe
PID 4904 wrote to memory of 952	4904	rundll32.exe	mssecsvc.exe
PID 4904 wrote to memory of 952	4904	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d2daf069b36656688ef15b656ce9fd1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d2daf069b36656688ef15b656ce9fd1.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4904

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:952

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3984

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
2c5d1266a3d54d8777b91e6c85809f9b

SHA1
9e470ca3ee569637e8a681b2fff468b7a2a025df

SHA256
5719cf9060aa193a15f686bc35824f5faeb8c72903ff925359ccfba1b86c39f6

SHA512
8bfac7f913109cb8ace120f34de1a2f1f1bacab1204bf497376e84e5d736dbb8447e81f8bc2c32a6f45b11df7ab5a515a0fa78aaa09b1d0ffcb77c2734bffe61

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
2c5d1266a3d54d8777b91e6c85809f9b

SHA1
9e470ca3ee569637e8a681b2fff468b7a2a025df

SHA256
5719cf9060aa193a15f686bc35824f5faeb8c72903ff925359ccfba1b86c39f6

SHA512
8bfac7f913109cb8ace120f34de1a2f1f1bacab1204bf497376e84e5d736dbb8447e81f8bc2c32a6f45b11df7ab5a515a0fa78aaa09b1d0ffcb77c2734bffe61

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
2c5d1266a3d54d8777b91e6c85809f9b

SHA1
9e470ca3ee569637e8a681b2fff468b7a2a025df

SHA256
5719cf9060aa193a15f686bc35824f5faeb8c72903ff925359ccfba1b86c39f6

SHA512
8bfac7f913109cb8ace120f34de1a2f1f1bacab1204bf497376e84e5d736dbb8447e81f8bc2c32a6f45b11df7ab5a515a0fa78aaa09b1d0ffcb77c2734bffe61

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
78f62ebcadf01c619ca59543567d275c

SHA1
ce71a9231cf4599a2a2e2700e6f400b611355a0a

SHA256
e23d8a86f64b888c8807f86138e0b067d879d57cd333eab88db81c937be9f08c

SHA512
cc0005545b2015125d2d026d1f1d4d4f16ee6042e0caf029b1bc0b466a0b2eb7f1f83c28c2e784e07135f5103b83fd5cff2583f88818cd6bfb5cc1e9719d5065

Download Submit
memory/952-131-0x0000000000000000-mapping.dmp

Download
memory/4904-130-0x0000000000000000-mapping.dmp

Download