wannacry | aec918fc5527c8960921c04c7abbcf3aadcb5d8f0aa6862c6d6be68e28771a68

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63c573c0e2eb59009ef97da2ecf73f0e.dll
Size

5.0MB
MD5

63c573c0e2eb59009ef97da2ecf73f0e
SHA1

37190dc39e54b87cf0447baf3586f46e44b0f25f
SHA256

aec918fc5527c8960921c04c7abbcf3aadcb5d8f0aa6862c6d6be68e28771a68
SHA512

4dc76ecac022bda0dd76cab6e1bbf6774663be1a19d120c13e45ce80c07ef8091c2126d1c341fe87da2d32a7ed0c05afbdfca25f8503d95c653bacaa14be2055

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3321) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3372 mssecsvc.exe
2864 mssecsvc.exe
4120 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3372	mssecsvc.exe
2864	mssecsvc.exe
4120	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3516 wrote to memory of 1540	3516	rundll32.exe	rundll32.exe
PID 3516 wrote to memory of 1540	3516	rundll32.exe	rundll32.exe
PID 3516 wrote to memory of 1540	3516	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 3372	1540	rundll32.exe	mssecsvc.exe
PID 1540 wrote to memory of 3372	1540	rundll32.exe	mssecsvc.exe
PID 1540 wrote to memory of 3372	1540	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63c573c0e2eb59009ef97da2ecf73f0e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63c573c0e2eb59009ef97da2ecf73f0e.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1540

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3372

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4120

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
831d52f31a6a17f83e537cd88fb7cb45

SHA1
a0438282a960785beec3d9883b30f52096d15fd5

SHA256
7c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914

SHA512
2abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
831d52f31a6a17f83e537cd88fb7cb45

SHA1
a0438282a960785beec3d9883b30f52096d15fd5

SHA256
7c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914

SHA512
2abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
831d52f31a6a17f83e537cd88fb7cb45

SHA1
a0438282a960785beec3d9883b30f52096d15fd5

SHA256
7c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914

SHA512
2abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
35b29eb65b8155ffddce5b739c464334

SHA1
2ee26d2ffae3d9c7e22fdca9ceba8224104a76da

SHA256
ce57ff23fb05e36a1633a8952a3c9a660883b8a7783c5ca17cf448a6b9d94209

SHA512
543d399ea56484a085392c1ece2ccfaad6011980d088038aa320adc1e969b958722250849f7e15f9da8c1ee8bf7ece0763d746c998f9fc6068f732fbf4eab392

Download Submit
memory/1540-130-0x0000000000000000-mapping.dmp

Download
memory/3372-131-0x0000000000000000-mapping.dmp

Download