wannacry | 97bcff11001a7c764cb7e533f3e25880e50039f79d41feeede35944ba251b4d4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

150ee2d0b2e6a3c56b572b9783de32fd.dll
Size

5.0MB
MD5

150ee2d0b2e6a3c56b572b9783de32fd
SHA1

fff045f439705954979fd84265e7d9cfba2947ec
SHA256

97bcff11001a7c764cb7e533f3e25880e50039f79d41feeede35944ba251b4d4
SHA512

a1a45a461a0c8a2a8421626fa6ae782e3bf7d419fb8c92a071ee76114247ccdbc5c401900955a596eb8cc58fa71a0de11b4a7557e119bc0086b4252f2fe4f487

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3164) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4556 mssecsvc.exe
2188 mssecsvc.exe
4840 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4556	mssecsvc.exe
2188	mssecsvc.exe
4840	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3120 wrote to memory of 3924	3120	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 3924	3120	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 3924	3120	rundll32.exe	rundll32.exe
PID 3924 wrote to memory of 4556	3924	rundll32.exe	mssecsvc.exe
PID 3924 wrote to memory of 4556	3924	rundll32.exe	mssecsvc.exe
PID 3924 wrote to memory of 4556	3924	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\150ee2d0b2e6a3c56b572b9783de32fd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\150ee2d0b2e6a3c56b572b9783de32fd.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3924

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4556

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4840

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
e8f15b2e6f0f9aa17464487ecb8c3939

SHA1
55ca67d41ad820326aa1cb4aa4780619654eb585

SHA256
43f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f

SHA512
8717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e8f15b2e6f0f9aa17464487ecb8c3939

SHA1
55ca67d41ad820326aa1cb4aa4780619654eb585

SHA256
43f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f

SHA512
8717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e8f15b2e6f0f9aa17464487ecb8c3939

SHA1
55ca67d41ad820326aa1cb4aa4780619654eb585

SHA256
43f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f

SHA512
8717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
0ac08ee38e7d39ee7e3d90f573ad5d8f

SHA1
9e59f5beec0f2fedc275b6d7a9a60315d48e2cde

SHA256
d02a2876429e039e08b74fd02007803343fa2b1f284b2674319d4286fb9ec20d

SHA512
088ffba0dcaa89a81f01cccebd87755d152fbc43e702ac69325953ea5701894d77922e46a4e7c857b9a5aa2cbdfc4a42624075b926e4e8339f6d9400e522ea04

Download Submit
memory/3924-130-0x0000000000000000-mapping.dmp

Download
memory/4556-131-0x0000000000000000-mapping.dmp

Download