wannacry | 0e3bf0a2ec32d05bcc15966c16ec51684d98102fd06ca16e01a3b93391fb9243

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

962e412d3dfb5757ca58b9666cd5a549.dll
Size

5.0MB
MD5

962e412d3dfb5757ca58b9666cd5a549
SHA1

1d3a1039fe3f88f5fcf848ce27770b117f5bb3cd
SHA256

0e3bf0a2ec32d05bcc15966c16ec51684d98102fd06ca16e01a3b93391fb9243
SHA512

21ae09efd9d425d4fa70724888b4d4940315eda36fcf527e239c2b2c5bf699844d2230f75da3438ee75044a99290de66e0a6d9282273e82b0b13acd27a9b3216

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2228 mssecsvc.exe
3436 mssecsvc.exe
4328 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2228	mssecsvc.exe
3436	mssecsvc.exe
4328	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1120 wrote to memory of 1376	1120	rundll32.exe	rundll32.exe
PID 1120 wrote to memory of 1376	1120	rundll32.exe	rundll32.exe
PID 1120 wrote to memory of 1376	1120	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 2228	1376	rundll32.exe	mssecsvc.exe
PID 1376 wrote to memory of 2228	1376	rundll32.exe	mssecsvc.exe
PID 1376 wrote to memory of 2228	1376	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\962e412d3dfb5757ca58b9666cd5a549.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\962e412d3dfb5757ca58b9666cd5a549.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1376

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2228

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4328

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
0d7d93ef42417f5b9a6bfb5af422860b

SHA1
1249facb5e70626a09cd5f2391f47762a8844d9d

SHA256
710063f297091936cc899c151ad169a05c12d8cf7470f75083f727e70164ece6

SHA512
0c6c84a3aa023ca842d58051512f669be28fb3a15eb91279e997928e5f8dbd5beb31cbfb64d15cbdc92bae81b821b4e06e4ef3ec675635bd4e5c02cb3bfd4022

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0d7d93ef42417f5b9a6bfb5af422860b

SHA1
1249facb5e70626a09cd5f2391f47762a8844d9d

SHA256
710063f297091936cc899c151ad169a05c12d8cf7470f75083f727e70164ece6

SHA512
0c6c84a3aa023ca842d58051512f669be28fb3a15eb91279e997928e5f8dbd5beb31cbfb64d15cbdc92bae81b821b4e06e4ef3ec675635bd4e5c02cb3bfd4022

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0d7d93ef42417f5b9a6bfb5af422860b

SHA1
1249facb5e70626a09cd5f2391f47762a8844d9d

SHA256
710063f297091936cc899c151ad169a05c12d8cf7470f75083f727e70164ece6

SHA512
0c6c84a3aa023ca842d58051512f669be28fb3a15eb91279e997928e5f8dbd5beb31cbfb64d15cbdc92bae81b821b4e06e4ef3ec675635bd4e5c02cb3bfd4022

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
c6537995838f255722edc6824ea54e54

SHA1
24bd752260770bde897b053984a9cfff9e7bb757

SHA256
ab5a9c6e8608d61385b0ae8e620d3636d4ac774207159b67084859410fd591c1

SHA512
4c6d275ac28fec440cbe024c0d6f8c721be9c4740ce9f3a32c04926e09ef2e15d7b3cca4acc0b045d1fb99f16c4db1bb26940ef6b48beee5882bd07b1b8889f2

Download Submit
memory/1376-130-0x0000000000000000-mapping.dmp

Download
memory/2228-131-0x0000000000000000-mapping.dmp

Download