wannacry | d40f08d685dd1eb56588e26f957f1f8a9edca5108ec544b49cdb0f2a7ef63088

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

578faa50a3077ece4cdee7cffa2ab0ce.dll
Size

5.0MB
MD5

578faa50a3077ece4cdee7cffa2ab0ce
SHA1

7aee2447567695ea6e557910e196e691137ecc06
SHA256

d40f08d685dd1eb56588e26f957f1f8a9edca5108ec544b49cdb0f2a7ef63088
SHA512

dc2b246a17282430347a1dd6aaeeb2848c199918860735121d2aaf2ef605fd07a49431fd360bbda452bf2036feb67059c3e15118f38f08fe5d2e5a9dbff21b5e

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3182) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4728 mssecsvc.exe
1724 mssecsvc.exe
4740 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4728	mssecsvc.exe
1724	mssecsvc.exe
4740	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4176 wrote to memory of 5100	4176	rundll32.exe	rundll32.exe
PID 4176 wrote to memory of 5100	4176	rundll32.exe	rundll32.exe
PID 4176 wrote to memory of 5100	4176	rundll32.exe	rundll32.exe
PID 5100 wrote to memory of 4728	5100	rundll32.exe	mssecsvc.exe
PID 5100 wrote to memory of 4728	5100	rundll32.exe	mssecsvc.exe
PID 5100 wrote to memory of 4728	5100	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\578faa50a3077ece4cdee7cffa2ab0ce.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\578faa50a3077ece4cdee7cffa2ab0ce.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5100

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4728

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4740

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
aa6dceaa71386d5c7594856429223c8d

SHA1
6dba170ec0004fb6951f4260059f5b038bce77f2

SHA256
90068ef120ee87d69f75fb29e2440d42cae87428b790ef50510952487c926b1f

SHA512
c6cf4d6947d252f24682255ec01a2acf2d3226eb00c07ef98c9856314d2ed939e80a4548b2cba169de4f6b74e7ee45b3bcf16ea98e65c95175cf76065d4e4064

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
aa6dceaa71386d5c7594856429223c8d

SHA1
6dba170ec0004fb6951f4260059f5b038bce77f2

SHA256
90068ef120ee87d69f75fb29e2440d42cae87428b790ef50510952487c926b1f

SHA512
c6cf4d6947d252f24682255ec01a2acf2d3226eb00c07ef98c9856314d2ed939e80a4548b2cba169de4f6b74e7ee45b3bcf16ea98e65c95175cf76065d4e4064

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
aa6dceaa71386d5c7594856429223c8d

SHA1
6dba170ec0004fb6951f4260059f5b038bce77f2

SHA256
90068ef120ee87d69f75fb29e2440d42cae87428b790ef50510952487c926b1f

SHA512
c6cf4d6947d252f24682255ec01a2acf2d3226eb00c07ef98c9856314d2ed939e80a4548b2cba169de4f6b74e7ee45b3bcf16ea98e65c95175cf76065d4e4064

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
6a7a4f797977e9246f8a448c842eee34

SHA1
f82dd7f17ba1a5163eb49b90be53c35bc7249308

SHA256
8e3f98bd9a2e58120986ad4d692ece036d7cadf4c171cdd9f469990cf9d62cf5

SHA512
72ccd69a8e0dae286f9a84a9c8aeba2e5cc05710a08234e2c4ead82e8cf6150dcdb5ab34729b806a91010ae5d4eea0c43e4ed70771430b60e5e55ec3c6796709

Download Submit
memory/4728-131-0x0000000000000000-mapping.dmp

Download
memory/5100-130-0x0000000000000000-mapping.dmp

Download