wannacry | 845e35971df0eab511beea6783d7d70f3e12632b9f41240dafcb7a0ee00e2dc5

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03c0458628bcbd0a22bc22a07cd999fb.dll
Size

5.0MB
MD5

03c0458628bcbd0a22bc22a07cd999fb
SHA1

663712a992874cc94b3419701bfcf03572801ba7
SHA256

845e35971df0eab511beea6783d7d70f3e12632b9f41240dafcb7a0ee00e2dc5
SHA512

647b7d74569c544d90d2cc04c2ca4179a21f2f9741a1aef40cfe785611425c59180c5bd5e5f2ecd50ad098e2dea9b57df0658182de4ba662415c6ef8419ceda3

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3250) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

900 mssecsvc.exe
4864 mssecsvc.exe
3148 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
900	mssecsvc.exe
4864	mssecsvc.exe
3148	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4088 wrote to memory of 3840	4088	rundll32.exe	rundll32.exe
PID 4088 wrote to memory of 3840	4088	rundll32.exe	rundll32.exe
PID 4088 wrote to memory of 3840	4088	rundll32.exe	rundll32.exe
PID 3840 wrote to memory of 900	3840	rundll32.exe	mssecsvc.exe
PID 3840 wrote to memory of 900	3840	rundll32.exe	mssecsvc.exe
PID 3840 wrote to memory of 900	3840	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03c0458628bcbd0a22bc22a07cd999fb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03c0458628bcbd0a22bc22a07cd999fb.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3840

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:900

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3148

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
a71383099dda7a0c5c036fdb8e3eb237

SHA1
70e3fa8f1b12cb6e00f7242dae7663a7c15f95ff

SHA256
c03039b7e9cb4beb256efa0d4fdf15232108301272ce7862c2af7501e7bb4d01

SHA512
3f86bd4b7d025b4d940eea8ea6fc35c2231b148b8619a83348d371090f343a91865460074188b6f099127789cd447aa5545648294e09de62e800b654cb82139c

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a71383099dda7a0c5c036fdb8e3eb237

SHA1
70e3fa8f1b12cb6e00f7242dae7663a7c15f95ff

SHA256
c03039b7e9cb4beb256efa0d4fdf15232108301272ce7862c2af7501e7bb4d01

SHA512
3f86bd4b7d025b4d940eea8ea6fc35c2231b148b8619a83348d371090f343a91865460074188b6f099127789cd447aa5545648294e09de62e800b654cb82139c

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a71383099dda7a0c5c036fdb8e3eb237

SHA1
70e3fa8f1b12cb6e00f7242dae7663a7c15f95ff

SHA256
c03039b7e9cb4beb256efa0d4fdf15232108301272ce7862c2af7501e7bb4d01

SHA512
3f86bd4b7d025b4d940eea8ea6fc35c2231b148b8619a83348d371090f343a91865460074188b6f099127789cd447aa5545648294e09de62e800b654cb82139c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9372de57664d7085b1040811fd7aeb54

SHA1
265c0d0bce9e87a79301b32140f00840d23f0603

SHA256
61e8e0e49f8986b5f25cedbe96590172221554cd8a560e83b412483d62170185

SHA512
9a46a8fcee56e554536c15e5f4ef1dcd50bcfa2cadb9daa375de023dad085521355d50fdd4a701da9142078a72776e5192b0f35cf2d4abc156b986254c414335

Download Submit
memory/900-131-0x0000000000000000-mapping.dmp

Download
memory/3840-130-0x0000000000000000-mapping.dmp

Download