wannacry | 287889afcc2b86f6b705c55882880954e41f15ecbf3441980a567f8ff10605a3

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d92803db88c63ce63015eca6ec5e75a.dll
Size

5.0MB
MD5

5d92803db88c63ce63015eca6ec5e75a
SHA1

e202d06dc9a3f2bcc8c24afba5e73238f03b2340
SHA256

287889afcc2b86f6b705c55882880954e41f15ecbf3441980a567f8ff10605a3
SHA512

6efafb95bcfab2b8d14c5eb9adee4c21cfe0f900b873665159c3e157e8202046bd47adeddfd716fad65b93691addd5b4618bafe4d306814b2ac2d4318b359a47

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3331) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3852 mssecsvc.exe
4584 mssecsvc.exe
4580 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3852	mssecsvc.exe
4584	mssecsvc.exe
4580	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4284 wrote to memory of 2752	4284	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 2752	4284	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 2752	4284	rundll32.exe	rundll32.exe
PID 2752 wrote to memory of 3852	2752	rundll32.exe	mssecsvc.exe
PID 2752 wrote to memory of 3852	2752	rundll32.exe	mssecsvc.exe
PID 2752 wrote to memory of 3852	2752	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d92803db88c63ce63015eca6ec5e75a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d92803db88c63ce63015eca6ec5e75a.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3852

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4580

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
025b78612cb2cdcd2911e1ff9a4e2e97

SHA1
448993504e2582d4a5af3a3eac139389709c4955

SHA256
6e7079fd8bcd6a518fbfd1fa69f39063330a8bf22ecb795a550c7f611d03b02d

SHA512
3796e6953f08b4004889a361e9dca094203a0c3b8296da31c4e50c4475cfe73cc40d110d7f4d0b64f19781d877805a1715fec400a6607d0c86565efe80c36a59

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
025b78612cb2cdcd2911e1ff9a4e2e97

SHA1
448993504e2582d4a5af3a3eac139389709c4955

SHA256
6e7079fd8bcd6a518fbfd1fa69f39063330a8bf22ecb795a550c7f611d03b02d

SHA512
3796e6953f08b4004889a361e9dca094203a0c3b8296da31c4e50c4475cfe73cc40d110d7f4d0b64f19781d877805a1715fec400a6607d0c86565efe80c36a59

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
025b78612cb2cdcd2911e1ff9a4e2e97

SHA1
448993504e2582d4a5af3a3eac139389709c4955

SHA256
6e7079fd8bcd6a518fbfd1fa69f39063330a8bf22ecb795a550c7f611d03b02d

SHA512
3796e6953f08b4004889a361e9dca094203a0c3b8296da31c4e50c4475cfe73cc40d110d7f4d0b64f19781d877805a1715fec400a6607d0c86565efe80c36a59

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
ef98ed24f8de1a231f833d48da3484df

SHA1
bff6bbf8c6378ed15600d1bf3e340551fe490965

SHA256
41bfecc28427928f62e5af66c3328e0d2e72080a0f4cf6d6743b3699c433cac7

SHA512
29a06ac39ebf7d2d861df530019d513da1b40b87058d4e9194486352aa1738b9921adcad804e41b2914ed3042d021a1f8a102495666ca888f5560deb4f8601fd

Download Submit
memory/2752-130-0x0000000000000000-mapping.dmp

Download
memory/3852-131-0x0000000000000000-mapping.dmp

Download