wannacry | 40817631c9126d9c6ee51ed0bfae33a33c81c21188384b6f3ccbbf14aeadf272

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

425ec08bc3a0a7714579a61c084e8a30.dll
Size

5.0MB
MD5

425ec08bc3a0a7714579a61c084e8a30
SHA1

43f5d8e3c16132d75d4c99499e456ed7dbdfdaff
SHA256

40817631c9126d9c6ee51ed0bfae33a33c81c21188384b6f3ccbbf14aeadf272
SHA512

8ce530aea61836943f39b83001801b53741eb3f1ca99d7771d04a346f9d55beae8f3238dd1447942055a8d90313709a8375135ba0e73bad0fd7ddabc8ff2b173

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3222) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4140 mssecsvc.exe
4528 mssecsvc.exe
2412 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4140	mssecsvc.exe
4528	mssecsvc.exe
2412	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3316 wrote to memory of 4736	3316	rundll32.exe	rundll32.exe
PID 3316 wrote to memory of 4736	3316	rundll32.exe	rundll32.exe
PID 3316 wrote to memory of 4736	3316	rundll32.exe	rundll32.exe
PID 4736 wrote to memory of 4140	4736	rundll32.exe	mssecsvc.exe
PID 4736 wrote to memory of 4140	4736	rundll32.exe	mssecsvc.exe
PID 4736 wrote to memory of 4140	4736	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\425ec08bc3a0a7714579a61c084e8a30.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\425ec08bc3a0a7714579a61c084e8a30.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4736

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4140

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
fa59dca1f30b69d7ca1fc67daec15615

SHA1
edff562e558d0dce41d85c556029d7f616a6b2ce

SHA256
40456d7d08610808e636e1059075b258b70195ea209e6385fbcb96e2df93fa56

SHA512
fa3d7884d9cd79ed98647a67c8605f66fa0f57096734c5ceb0b5bfdc8ab76271569bb6d68cbe191b10ce6f780967ce738bbdf76aeaf51f3ffbee69ad47276f1b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
fa59dca1f30b69d7ca1fc67daec15615

SHA1
edff562e558d0dce41d85c556029d7f616a6b2ce

SHA256
40456d7d08610808e636e1059075b258b70195ea209e6385fbcb96e2df93fa56

SHA512
fa3d7884d9cd79ed98647a67c8605f66fa0f57096734c5ceb0b5bfdc8ab76271569bb6d68cbe191b10ce6f780967ce738bbdf76aeaf51f3ffbee69ad47276f1b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
fa59dca1f30b69d7ca1fc67daec15615

SHA1
edff562e558d0dce41d85c556029d7f616a6b2ce

SHA256
40456d7d08610808e636e1059075b258b70195ea209e6385fbcb96e2df93fa56

SHA512
fa3d7884d9cd79ed98647a67c8605f66fa0f57096734c5ceb0b5bfdc8ab76271569bb6d68cbe191b10ce6f780967ce738bbdf76aeaf51f3ffbee69ad47276f1b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
fc0195c3fbc9d1ba19811d3c36b2bea4

SHA1
d618abf74712f8730fbad1d0988d1c30e1ec036b

SHA256
0c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739

SHA512
01423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965

Download Submit
memory/4140-131-0x0000000000000000-mapping.dmp

Download
memory/4736-130-0x0000000000000000-mapping.dmp

Download