wannacry | 1618f3bb469668ff51dfcd2e302c866a424d3fe17eb49159934e85421a3a6668

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:35

Target

acb0a02446bbf730fcf89fdd403497f5.dll
Size

5.0MB
MD5

acb0a02446bbf730fcf89fdd403497f5
SHA1

8ec4f36c98ba976ba397edb0fc09aa61c4786271
SHA256

1618f3bb469668ff51dfcd2e302c866a424d3fe17eb49159934e85421a3a6668
SHA512

438dd76212fa83d26b92d5bd18dd69aba72cf759598b86fa4d126a37e8cab6e7fa4d90981e8c43cbffff6f8f8ee5352d9bb5c5f741999b095493b1a25214e7f5

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3136) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

3120 mssecsvc.exe
3128 mssecsvc.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3120	mssecsvc.exe
3128	mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2304 wrote to memory of 4356	2304	rundll32.exe	rundll32.exe
PID 2304 wrote to memory of 4356	2304	rundll32.exe	rundll32.exe
PID 2304 wrote to memory of 4356	2304	rundll32.exe	rundll32.exe
PID 4356 wrote to memory of 3120	4356	rundll32.exe	mssecsvc.exe
PID 4356 wrote to memory of 3120	4356	rundll32.exe	mssecsvc.exe
PID 4356 wrote to memory of 3120	4356	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\acb0a02446bbf730fcf89fdd403497f5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2304

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
f0aedaae90762d7baf6892ddf21123dc

SHA1
70d031c8403c118d157b1ab7f474b8b01441d789

SHA256
5b86466316cbe584fb86aa186ef2a06d40c2f6b9f58c5b69aa64aac8cab1f7a0

SHA512
06cab9760a98ed58ad3d298fde8955307c83338d5f7fc9793e599afbb71e0f74e4f2ed39474d8376d710dc3660c3cce2677cbf95569410897f79b9e771330bf8

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
f0aedaae90762d7baf6892ddf21123dc

SHA1
70d031c8403c118d157b1ab7f474b8b01441d789

SHA256
5b86466316cbe584fb86aa186ef2a06d40c2f6b9f58c5b69aa64aac8cab1f7a0

SHA512
06cab9760a98ed58ad3d298fde8955307c83338d5f7fc9793e599afbb71e0f74e4f2ed39474d8376d710dc3660c3cce2677cbf95569410897f79b9e771330bf8

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
f0aedaae90762d7baf6892ddf21123dc

SHA1
70d031c8403c118d157b1ab7f474b8b01441d789

SHA256
5b86466316cbe584fb86aa186ef2a06d40c2f6b9f58c5b69aa64aac8cab1f7a0

SHA512
06cab9760a98ed58ad3d298fde8955307c83338d5f7fc9793e599afbb71e0f74e4f2ed39474d8376d710dc3660c3cce2677cbf95569410897f79b9e771330bf8

Download Submit
memory/3120-131-0x0000000000000000-mapping.dmp

Download
memory/4356-130-0x0000000000000000-mapping.dmp

Download