wannacry | b5f9ea361b199585e9ab3eb4457b7aeebf2d15cb9586cb71c8eb68a4eb759064

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

337d098454313fde4d77c8a8de27326b.dll
Size

5.0MB
MD5

337d098454313fde4d77c8a8de27326b
SHA1

746166a08a47b30e5d68cd2d5f9c4ab03ebd29fb
SHA256

b5f9ea361b199585e9ab3eb4457b7aeebf2d15cb9586cb71c8eb68a4eb759064
SHA512

2682633e19607fdc71a0a7746a2714f28a23efc2ef2642ab32c8078a7bb7fdf7ff2c51b341d53a753519cadad137fe353c9e5e40ee432aac12a76e0c3135c761

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3242) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4704 mssecsvc.exe
3384 mssecsvc.exe
4856 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4704	mssecsvc.exe
3384	mssecsvc.exe
4856	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3432 wrote to memory of 904	3432	rundll32.exe	rundll32.exe
PID 3432 wrote to memory of 904	3432	rundll32.exe	rundll32.exe
PID 3432 wrote to memory of 904	3432	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 4704	904	rundll32.exe	mssecsvc.exe
PID 904 wrote to memory of 4704	904	rundll32.exe	mssecsvc.exe
PID 904 wrote to memory of 4704	904	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\337d098454313fde4d77c8a8de27326b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\337d098454313fde4d77c8a8de27326b.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:904

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4704

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4856

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
39d4cab730df4f9cac9d2392f301e7a8

SHA1
0b5b8c9b424d3daae800d0b2ed6fffabc843b73e

SHA256
fafac45e75a44e17031b1379e42251efc994f3236c79a555d9929b75ec632b4b

SHA512
40c5b74145d789b29c30d948109745a2afae9ed1f8d26aef579e000299cfb8c55c253c2f09b1766a02a9e8acb5fd8f1608f01eb663a3d4538c343bb791d814fd

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
39d4cab730df4f9cac9d2392f301e7a8

SHA1
0b5b8c9b424d3daae800d0b2ed6fffabc843b73e

SHA256
fafac45e75a44e17031b1379e42251efc994f3236c79a555d9929b75ec632b4b

SHA512
40c5b74145d789b29c30d948109745a2afae9ed1f8d26aef579e000299cfb8c55c253c2f09b1766a02a9e8acb5fd8f1608f01eb663a3d4538c343bb791d814fd

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
39d4cab730df4f9cac9d2392f301e7a8

SHA1
0b5b8c9b424d3daae800d0b2ed6fffabc843b73e

SHA256
fafac45e75a44e17031b1379e42251efc994f3236c79a555d9929b75ec632b4b

SHA512
40c5b74145d789b29c30d948109745a2afae9ed1f8d26aef579e000299cfb8c55c253c2f09b1766a02a9e8acb5fd8f1608f01eb663a3d4538c343bb791d814fd

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
94ff6fc10c93b9370a8e767b71cec0b5

SHA1
4b5c1bf5fe236914ab7bd19f909de5380b09d65a

SHA256
b657ab2c954e255f0ec16a9182728312fae77462f206881caf65ebc3854b85c0

SHA512
1b96f910def2c5fc1d0d307cddd94e8ecd0fa8004671d9a55b1ecc9c29a2fa6785e20fa2d4818f0e413789234f633deee02302567a4526cbf08155e879b97cea

Download Submit
memory/904-130-0x0000000000000000-mapping.dmp

Download
memory/4704-131-0x0000000000000000-mapping.dmp

Download