wannacry | 590b02828092f489ddb0c6c8a6296a65ec5f5413f7e7937c69d19e872bae8d72

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:31

Target

ad65486cebee6dda778e78b81d2459c3.dll
Size

5.0MB
MD5

ad65486cebee6dda778e78b81d2459c3
SHA1

02f70e13c0ca6b9f0f53d7ae280ead8b5a598fab
SHA256

590b02828092f489ddb0c6c8a6296a65ec5f5413f7e7937c69d19e872bae8d72
SHA512

56ca9918ba5173141f380b82c51649f0d6f5e73f8aa1a4e50edaaa037d5e78043466a069784cbfbfa348cf72b3137587fb720efc01a624df2c664f0aa2c4f597

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3089) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

1224 mssecsvr.exe
4424 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
1224	mssecsvr.exe
4424	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2400 wrote to memory of 5012	2400	rundll32.exe	rundll32.exe
PID 2400 wrote to memory of 5012	2400	rundll32.exe	rundll32.exe
PID 2400 wrote to memory of 5012	2400	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 1224	5012	rundll32.exe	mssecsvr.exe
PID 5012 wrote to memory of 1224	5012	rundll32.exe	mssecsvr.exe
PID 5012 wrote to memory of 1224	5012	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad65486cebee6dda778e78b81d2459c3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2400

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
3d1978e9d13438c38762afab1ed939d9

SHA1
f66c43ae37c0a29f1eebaba7d7a441ca0d13ecc3

SHA256
c7c94b419322769cfb99ec20b1a6263b226d32c452398a7bcb93001ead9fecc1

SHA512
edf548442435e7bae8a39daf9db6ac0037ac22bb39a03b09b03cdcd4677350f13726e93a0026184ab46a681890225c409a8497473d6229f3ed53941ad5979a1c

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
3d1978e9d13438c38762afab1ed939d9

SHA1
f66c43ae37c0a29f1eebaba7d7a441ca0d13ecc3

SHA256
c7c94b419322769cfb99ec20b1a6263b226d32c452398a7bcb93001ead9fecc1

SHA512
edf548442435e7bae8a39daf9db6ac0037ac22bb39a03b09b03cdcd4677350f13726e93a0026184ab46a681890225c409a8497473d6229f3ed53941ad5979a1c

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
3d1978e9d13438c38762afab1ed939d9

SHA1
f66c43ae37c0a29f1eebaba7d7a441ca0d13ecc3

SHA256
c7c94b419322769cfb99ec20b1a6263b226d32c452398a7bcb93001ead9fecc1

SHA512
edf548442435e7bae8a39daf9db6ac0037ac22bb39a03b09b03cdcd4677350f13726e93a0026184ab46a681890225c409a8497473d6229f3ed53941ad5979a1c

Download Submit
memory/1224-131-0x0000000000000000-mapping.dmp

Download
memory/5012-130-0x0000000000000000-mapping.dmp

Download