wannacry | 1ce398fce3e08622711cb74eb06650dc6ef1d4df3bd928261cc4e5b627b7c7fe

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f57b58c0c42d0dfbf27b46b02637434.dll
Size

5.0MB
MD5

4f57b58c0c42d0dfbf27b46b02637434
SHA1

d0aac992276be7ec15af54481ce127bf5e05958f
SHA256

1ce398fce3e08622711cb74eb06650dc6ef1d4df3bd928261cc4e5b627b7c7fe
SHA512

be5632be64efd94281a41a08c0db3d1362abf4210a05c52e1cc2a61abc0ea59bff53211130fa66d7d952ae24721f1fc2978051c007809097b6055b9f6d407cd1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3141) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4200 mssecsvc.exe
4112 mssecsvc.exe
4224 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4200	mssecsvc.exe
4112	mssecsvc.exe
4224	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4216 wrote to memory of 4240	4216	rundll32.exe	rundll32.exe
PID 4216 wrote to memory of 4240	4216	rundll32.exe	rundll32.exe
PID 4216 wrote to memory of 4240	4216	rundll32.exe	rundll32.exe
PID 4240 wrote to memory of 4200	4240	rundll32.exe	mssecsvc.exe
PID 4240 wrote to memory of 4200	4240	rundll32.exe	mssecsvc.exe
PID 4240 wrote to memory of 4200	4240	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f57b58c0c42d0dfbf27b46b02637434.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f57b58c0c42d0dfbf27b46b02637434.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4240

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4200

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4224

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
85a754c71ed3bff7699d646f84bf7ed4

SHA1
21369d13f6e7ee1ae357c4782427aa3efb702914

SHA256
3270602c4180c5852729667323899773bb6aed20cfd8009d92300c61f86949ac

SHA512
6443594362fb476e51653a1b253e367889989dd4dc5988fa3b73ec88e5b00fdbe462e38e46c303baa2ffba26f9047876ca4bfc6b3f1a1263739286d0c16a062b

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
85a754c71ed3bff7699d646f84bf7ed4

SHA1
21369d13f6e7ee1ae357c4782427aa3efb702914

SHA256
3270602c4180c5852729667323899773bb6aed20cfd8009d92300c61f86949ac

SHA512
6443594362fb476e51653a1b253e367889989dd4dc5988fa3b73ec88e5b00fdbe462e38e46c303baa2ffba26f9047876ca4bfc6b3f1a1263739286d0c16a062b

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
85a754c71ed3bff7699d646f84bf7ed4

SHA1
21369d13f6e7ee1ae357c4782427aa3efb702914

SHA256
3270602c4180c5852729667323899773bb6aed20cfd8009d92300c61f86949ac

SHA512
6443594362fb476e51653a1b253e367889989dd4dc5988fa3b73ec88e5b00fdbe462e38e46c303baa2ffba26f9047876ca4bfc6b3f1a1263739286d0c16a062b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e6c7d5762c3cdcfb416c36c1a6aec15f

SHA1
442cf1cc31390b20c13f9a7ebc430f2030bf165c

SHA256
f056e0c7ef9fff5838ccdf2754931761839552b36b99997cb6d9fb10770606d4

SHA512
54d9926d4addf5f48a66623c19b4ad019ea1325e468e412e4c3042adc005b79d0344c06a189cf34ffd8401391904249d61f411be166c25984170e74e518e23f2

Download Submit
memory/4112-136-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4112-139-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4200-131-0x0000000000000000-mapping.dmp

Download
memory/4200-134-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4200-138-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4240-130-0x0000000000000000-mapping.dmp

Download