wannacry | 5e014f792276618ccc7e7401207fb2758097f440ce28aeb70a024b6ed4251aa1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289b14c50534850a499a14943b3775be.dll
Size

5.0MB
MD5

289b14c50534850a499a14943b3775be
SHA1

e0f14c10d9ba20507112ba61601a0ea28487acad
SHA256

5e014f792276618ccc7e7401207fb2758097f440ce28aeb70a024b6ed4251aa1
SHA512

c297568324027a54c2dd1f0afee95853e7bdd868c4c4870a4a94ed1670d5a3dfda6f653563a7670a5bf0b6c7bd32daf77401624362d665a563277d36e17df703

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3196 mssecsvc.exe
444 mssecsvc.exe
4864 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3196	mssecsvc.exe
444	mssecsvc.exe
4864	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2404 wrote to memory of 4064	2404	rundll32.exe	rundll32.exe
PID 2404 wrote to memory of 4064	2404	rundll32.exe	rundll32.exe
PID 2404 wrote to memory of 4064	2404	rundll32.exe	rundll32.exe
PID 4064 wrote to memory of 3196	4064	rundll32.exe	mssecsvc.exe
PID 4064 wrote to memory of 3196	4064	rundll32.exe	mssecsvc.exe
PID 4064 wrote to memory of 3196	4064	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\289b14c50534850a499a14943b3775be.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\289b14c50534850a499a14943b3775be.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4064

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3196

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4864

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
1de10f9b5b1a8855ca5d768597e0878c

SHA1
93b07fdb478eb6889c396aa7b001fb1ba847aeef

SHA256
3c7e60c42691649c40c0f03887bd3214d9f7d59b47674cd6264f3f7969205768

SHA512
c4bfc0a2e8d1613ef1e82279f4a47ed43f2ca1be4d8602cd976569cfd7a9f1452626b8caf5059db959d6607b99743fffb1118df7cdeb0e6129c1c56e2604618a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
1de10f9b5b1a8855ca5d768597e0878c

SHA1
93b07fdb478eb6889c396aa7b001fb1ba847aeef

SHA256
3c7e60c42691649c40c0f03887bd3214d9f7d59b47674cd6264f3f7969205768

SHA512
c4bfc0a2e8d1613ef1e82279f4a47ed43f2ca1be4d8602cd976569cfd7a9f1452626b8caf5059db959d6607b99743fffb1118df7cdeb0e6129c1c56e2604618a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
1de10f9b5b1a8855ca5d768597e0878c

SHA1
93b07fdb478eb6889c396aa7b001fb1ba847aeef

SHA256
3c7e60c42691649c40c0f03887bd3214d9f7d59b47674cd6264f3f7969205768

SHA512
c4bfc0a2e8d1613ef1e82279f4a47ed43f2ca1be4d8602cd976569cfd7a9f1452626b8caf5059db959d6607b99743fffb1118df7cdeb0e6129c1c56e2604618a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
eb02357aaece8bba8d7f65bd4896e141

SHA1
7cb3a5a0aa5e88c3fd56ffcffa8fcf72e5cd874f

SHA256
74cbdd1e7cca2c3bae3bbf59eaf93db0a328135d9b260d7acd0a3c74689b6b68

SHA512
1c19695ca878add2d0716e6817577a761c9caf856efdf7ca115897ebf3af76d455a17834a7f9105fd67925deb04fdc24637b66f496c035720ae2eb3d84883cd6

Download Submit
memory/3196-131-0x0000000000000000-mapping.dmp

Download
memory/4064-130-0x0000000000000000-mapping.dmp

Download