wannacry | c75a86773ca170086b4ab1041bbe86ac5781c43ad98c2c26c43ee89bec65ee0c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1426dfa5ada9a25984ea206aa31f2a46.dll
Size

5.0MB
MD5

1426dfa5ada9a25984ea206aa31f2a46
SHA1

803199d3bfa9cd52bf43fce2f607704d56472a15
SHA256

c75a86773ca170086b4ab1041bbe86ac5781c43ad98c2c26c43ee89bec65ee0c
SHA512

be23564938facc7a563ef22ee15a6eb0bbf8af2b264e65c31bf076f2d71b7d78e070f5950747c53edef95e67fcbafe1e47c4a454628e696b532ce58c6f4c627a

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3306) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4660 mssecsvc.exe
2628 mssecsvc.exe
3032 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4660	mssecsvc.exe
2628	mssecsvc.exe
3032	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 620 wrote to memory of 2336	620	rundll32.exe	rundll32.exe
PID 620 wrote to memory of 2336	620	rundll32.exe	rundll32.exe
PID 620 wrote to memory of 2336	620	rundll32.exe	rundll32.exe
PID 2336 wrote to memory of 4660	2336	rundll32.exe	mssecsvc.exe
PID 2336 wrote to memory of 4660	2336	rundll32.exe	mssecsvc.exe
PID 2336 wrote to memory of 4660	2336	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1426dfa5ada9a25984ea206aa31f2a46.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1426dfa5ada9a25984ea206aa31f2a46.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2336

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4660

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3032

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
d37ae2f5cb03426ea3d4a114cd361d42

SHA1
dd1fbaba97ca17286633a1b281673e7ca27e54b3

SHA256
d57aba68864f88fb287aae1f61c2f32296ff5e257372727b9cd036ca1994e5f0

SHA512
eb7deea536ca1f9fcbf43cb0ba6249a783732d0b2a57c9c68604bab7bbeecf97d8aa962737b944e1c7a04087fdd9fab5b9f665b8623ccc952ee68d2603ff4aae

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d37ae2f5cb03426ea3d4a114cd361d42

SHA1
dd1fbaba97ca17286633a1b281673e7ca27e54b3

SHA256
d57aba68864f88fb287aae1f61c2f32296ff5e257372727b9cd036ca1994e5f0

SHA512
eb7deea536ca1f9fcbf43cb0ba6249a783732d0b2a57c9c68604bab7bbeecf97d8aa962737b944e1c7a04087fdd9fab5b9f665b8623ccc952ee68d2603ff4aae

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d37ae2f5cb03426ea3d4a114cd361d42

SHA1
dd1fbaba97ca17286633a1b281673e7ca27e54b3

SHA256
d57aba68864f88fb287aae1f61c2f32296ff5e257372727b9cd036ca1994e5f0

SHA512
eb7deea536ca1f9fcbf43cb0ba6249a783732d0b2a57c9c68604bab7bbeecf97d8aa962737b944e1c7a04087fdd9fab5b9f665b8623ccc952ee68d2603ff4aae

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e7d311db4d1d36830dd974555a6aeb41

SHA1
9c7e8d3fa8dedb3a04df351741b56038742dfeca

SHA256
5a56912bb2aae45e9bc97a822dd7da2e1d7cdcd1128fa9906e5b03e91ccbeb86

SHA512
62f156b9366eb2109b91c6a0d62e3033819e43701335cd3a37e0b6ea81ad9f05670764792c2785544215d209dde56229f24e43c732d6b1791e36a0880dc2b060

Download Submit
memory/2336-130-0x0000000000000000-mapping.dmp

Download
memory/4660-131-0x0000000000000000-mapping.dmp

Download