wannacry | 25dfafdba40d4fe12ca9e8665529db03e7d21234b2bec00ac8e97cce4f84d54d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

700676152020869995f46970dc5c2dd2.dll
Size

5.0MB
MD5

700676152020869995f46970dc5c2dd2
SHA1

d68271778f94dbefa05052005c328fca8eadb06c
SHA256

25dfafdba40d4fe12ca9e8665529db03e7d21234b2bec00ac8e97cce4f84d54d
SHA512

1bcc848e4e9a3d1b803d31c44c01ccfef8ae06a791d08f8f735690b338542de061cb3dfa8931403fe7ae948329721d3ec1bf3497277b2845c7ac0dd2337c020a

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3185) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3928 mssecsvc.exe
2828 mssecsvc.exe
3140 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
3928	mssecsvc.exe
2828	mssecsvc.exe
3140	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2524 wrote to memory of 1572	2524	rundll32.exe	rundll32.exe
PID 2524 wrote to memory of 1572	2524	rundll32.exe	rundll32.exe
PID 2524 wrote to memory of 1572	2524	rundll32.exe	rundll32.exe
PID 1572 wrote to memory of 3928	1572	rundll32.exe	mssecsvc.exe
PID 1572 wrote to memory of 3928	1572	rundll32.exe	mssecsvc.exe
PID 1572 wrote to memory of 3928	1572	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\700676152020869995f46970dc5c2dd2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\700676152020869995f46970dc5c2dd2.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1572

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3928

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3140

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
e4e7cb078d9eca7e6ac5f738eb28b55e

SHA1
1645f2bd1d5845eca9c44a112b7762e87631c1b5

SHA256
a42c06cd1cd7adf77a96cc6e532a34b5f6c440a6a2789e63d6c35725f263eb0c

SHA512
ce70087d35712c6d0f4202f540dac8d3a89f8c531c0713ddbcb339a6199bab5cb2ad7500cc561177bd374bb21c04129529cc391d325da87291ee7804beb89880

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e4e7cb078d9eca7e6ac5f738eb28b55e

SHA1
1645f2bd1d5845eca9c44a112b7762e87631c1b5

SHA256
a42c06cd1cd7adf77a96cc6e532a34b5f6c440a6a2789e63d6c35725f263eb0c

SHA512
ce70087d35712c6d0f4202f540dac8d3a89f8c531c0713ddbcb339a6199bab5cb2ad7500cc561177bd374bb21c04129529cc391d325da87291ee7804beb89880

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e4e7cb078d9eca7e6ac5f738eb28b55e

SHA1
1645f2bd1d5845eca9c44a112b7762e87631c1b5

SHA256
a42c06cd1cd7adf77a96cc6e532a34b5f6c440a6a2789e63d6c35725f263eb0c

SHA512
ce70087d35712c6d0f4202f540dac8d3a89f8c531c0713ddbcb339a6199bab5cb2ad7500cc561177bd374bb21c04129529cc391d325da87291ee7804beb89880

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
ffe049220458df6d87813bda567fd205

SHA1
3d16faf3e388022f0f936fba1d215d92c9bbbed9

SHA256
fd7430245972860f132b7a51f6538274b8c87d4e3b752590b727b78c8a5ea666

SHA512
16a912db521a6207b53ff511488d1543ce61e2f28c69d4380f39a7e7e4521592044b54668e1811413741b82190a84de7b48d1244179b67ea8d9f60cc2df8ff90

Download Submit
memory/1572-130-0x0000000000000000-mapping.dmp

Download
memory/3928-131-0x0000000000000000-mapping.dmp

Download