wannacry | 50ce21338b3fc1588a96cedc45b27f9019cdfef4348f808ac7bda1d555783a5d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:30

Target

1d6d94d464f5c412a46cc627d0b6e460.dll
Size

5.0MB
MD5

1d6d94d464f5c412a46cc627d0b6e460
SHA1

c6eb8e052cbd38a14b205ef027c06bb4a66680b4
SHA256

50ce21338b3fc1588a96cedc45b27f9019cdfef4348f808ac7bda1d555783a5d
SHA512

441ef97b91f74c3fb35e36a836e57893390f3768d9089c763b4175fa2f728596fa37353023c47a96bb286e39d88a0014849534b5e1d93c33605ea45c80aa2826

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3228) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

1588 mssecsvr.exe
1864 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
1588	mssecsvr.exe
1864	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1368 wrote to memory of 1476	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1476	1368	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 1476	1368	rundll32.exe	rundll32.exe
PID 1476 wrote to memory of 1588	1476	rundll32.exe	mssecsvr.exe
PID 1476 wrote to memory of 1588	1476	rundll32.exe	mssecsvr.exe
PID 1476 wrote to memory of 1588	1476	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d6d94d464f5c412a46cc627d0b6e460.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1368

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
4291e4b98cb467e9515b55fcae20f939

SHA1
99e179a5ded29b5ea6e8874c36c9c66131d347bc

SHA256
0929d063bd600a32c876ed136ad58d93bf4fe665f497457bbf7472c62dc8b539

SHA512
f9173584f45ddeefa0ab80d2e743eb8ddff1ddd4ccb05937a02b2adb8324f4f39b9185acc93b4b15042efce2ebe3e413b347368f5a1085432b57b05ffb30b90b

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
4291e4b98cb467e9515b55fcae20f939

SHA1
99e179a5ded29b5ea6e8874c36c9c66131d347bc

SHA256
0929d063bd600a32c876ed136ad58d93bf4fe665f497457bbf7472c62dc8b539

SHA512
f9173584f45ddeefa0ab80d2e743eb8ddff1ddd4ccb05937a02b2adb8324f4f39b9185acc93b4b15042efce2ebe3e413b347368f5a1085432b57b05ffb30b90b

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
4291e4b98cb467e9515b55fcae20f939

SHA1
99e179a5ded29b5ea6e8874c36c9c66131d347bc

SHA256
0929d063bd600a32c876ed136ad58d93bf4fe665f497457bbf7472c62dc8b539

SHA512
f9173584f45ddeefa0ab80d2e743eb8ddff1ddd4ccb05937a02b2adb8324f4f39b9185acc93b4b15042efce2ebe3e413b347368f5a1085432b57b05ffb30b90b

Download Submit
memory/1476-130-0x0000000000000000-mapping.dmp

Download
memory/1588-131-0x0000000000000000-mapping.dmp

Download