wannacry | 016b40a769d4d34da8cdf3bf08a166c3243b659c31c152d3c0899993a7aa8f07

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70db09d5c1b353cc72012e222f1125fa.dll
Size

5.0MB
MD5

70db09d5c1b353cc72012e222f1125fa
SHA1

c4b787d52d8e8edbdd150f9eaa2555a5b9b2af01
SHA256

016b40a769d4d34da8cdf3bf08a166c3243b659c31c152d3c0899993a7aa8f07
SHA512

674249b9375c124c4fc44781dd88f87d1c7c02c2378b1b464817b56ace78732689b4349c6d5967dae90bddcef7767f4f7a532e1111eeb920ca45f31de4f49abe

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3305) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

3436 mssecsvr.exe
3528 mssecsvr.exe
5044 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
3436	mssecsvr.exe
3528	mssecsvr.exe
5044	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4800 wrote to memory of 2296	4800	rundll32.exe	rundll32.exe
PID 4800 wrote to memory of 2296	4800	rundll32.exe	rundll32.exe
PID 4800 wrote to memory of 2296	4800	rundll32.exe	rundll32.exe
PID 2296 wrote to memory of 3436	2296	rundll32.exe	mssecsvr.exe
PID 2296 wrote to memory of 3436	2296	rundll32.exe	mssecsvr.exe
PID 2296 wrote to memory of 3436	2296	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70db09d5c1b353cc72012e222f1125fa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70db09d5c1b353cc72012e222f1125fa.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2296

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3436

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:5044

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
PID:3528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
Filesize
3.6MB

MD5
4787fc242f884aaa688b0e2ec3be8b05

SHA1
ae8a9a19ff2d5c455d1ae3d8ab9e3a4d2b3217b5

SHA256
47ba56ef076b79b7b021d1542ab9fc2c35b14f9a9732db74c7b1cb3fe05bc905

SHA512
22aca9b48bd02d3552f57e22ede201118aa9e48c4d5c6a540aa51176e58ba7758d58324d38f96ab1e988c629fb84b794ddcd020224e73783dcd3fdc7e2137c25

Download Submit
C:\Windows\mssecsvr.exe
Filesize
3.6MB

MD5
4787fc242f884aaa688b0e2ec3be8b05

SHA1
ae8a9a19ff2d5c455d1ae3d8ab9e3a4d2b3217b5

SHA256
47ba56ef076b79b7b021d1542ab9fc2c35b14f9a9732db74c7b1cb3fe05bc905

SHA512
22aca9b48bd02d3552f57e22ede201118aa9e48c4d5c6a540aa51176e58ba7758d58324d38f96ab1e988c629fb84b794ddcd020224e73783dcd3fdc7e2137c25

Download Submit
C:\Windows\mssecsvr.exe
Filesize
3.6MB

MD5
4787fc242f884aaa688b0e2ec3be8b05

SHA1
ae8a9a19ff2d5c455d1ae3d8ab9e3a4d2b3217b5

SHA256
47ba56ef076b79b7b021d1542ab9fc2c35b14f9a9732db74c7b1cb3fe05bc905

SHA512
22aca9b48bd02d3552f57e22ede201118aa9e48c4d5c6a540aa51176e58ba7758d58324d38f96ab1e988c629fb84b794ddcd020224e73783dcd3fdc7e2137c25

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/2296-130-0x0000000000000000-mapping.dmp

Download
memory/3436-131-0x0000000000000000-mapping.dmp

Download