wannacry | 8b4cbe2178443b6850797809888a8034ec392f7da4cdfa101405e8089fd79904

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

150e4b841fe23355e211a194d1651b05.dll
Size

5.0MB
MD5

150e4b841fe23355e211a194d1651b05
SHA1

5f4b745fccc00deda14c9734a7d674c544988974
SHA256

8b4cbe2178443b6850797809888a8034ec392f7da4cdfa101405e8089fd79904
SHA512

696b033baedbb1f57bc7136389c5fd3de580c36483acb1c7e9409504a9c668828950b733a1db79687da1ccb93bb6d29d28f667060be50a075d25307a17f2b845

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3264) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4704 mssecsvc.exe
2472 mssecsvc.exe
4356 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4704	mssecsvc.exe
2472	mssecsvc.exe
4356	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2192 wrote to memory of 4392	2192	rundll32.exe	rundll32.exe
PID 2192 wrote to memory of 4392	2192	rundll32.exe	rundll32.exe
PID 2192 wrote to memory of 4392	2192	rundll32.exe	rundll32.exe
PID 4392 wrote to memory of 4704	4392	rundll32.exe	mssecsvc.exe
PID 4392 wrote to memory of 4704	4392	rundll32.exe	mssecsvc.exe
PID 4392 wrote to memory of 4704	4392	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\150e4b841fe23355e211a194d1651b05.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\150e4b841fe23355e211a194d1651b05.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4392

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4704

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4356

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
ff29ff8a954add4f54bf23039ec9e41c

SHA1
95350e9107d77589c9822f105eee33f64c68af85

SHA256
f44c080cbe80e219a2fdbe1c1f1cd91d9fbebf364c256552029d5f6089b1ae6a

SHA512
a67ec38804fd7dce4b64e54187f5fb4706e5c0f5db7d219c6d41b240765afd2b26f662fc1b7aef085b0eefe51bce498e6b6e3579ec3a6532a96cceea3d0575c0

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ff29ff8a954add4f54bf23039ec9e41c

SHA1
95350e9107d77589c9822f105eee33f64c68af85

SHA256
f44c080cbe80e219a2fdbe1c1f1cd91d9fbebf364c256552029d5f6089b1ae6a

SHA512
a67ec38804fd7dce4b64e54187f5fb4706e5c0f5db7d219c6d41b240765afd2b26f662fc1b7aef085b0eefe51bce498e6b6e3579ec3a6532a96cceea3d0575c0

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ff29ff8a954add4f54bf23039ec9e41c

SHA1
95350e9107d77589c9822f105eee33f64c68af85

SHA256
f44c080cbe80e219a2fdbe1c1f1cd91d9fbebf364c256552029d5f6089b1ae6a

SHA512
a67ec38804fd7dce4b64e54187f5fb4706e5c0f5db7d219c6d41b240765afd2b26f662fc1b7aef085b0eefe51bce498e6b6e3579ec3a6532a96cceea3d0575c0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ea5f3c4c30dcf0b1080f374c4ce9e973

SHA1
d3f5cefddb160ee8ae3eb72f802d52c7de923056

SHA256
e2e7326877fae0ff5ab917853d9d37cf4c15dd1908d53d65c4b93b3bd983c06d

SHA512
8df561603aeb276088bc5dfabfa320c938a9ac6b5e46fd6357604c7e00defa7a59ab44f201d6175ac39e16a343981b99f2a969ff88cc392126bebe51faa2e110

Download Submit
memory/4392-130-0x0000000000000000-mapping.dmp

Download
memory/4704-131-0x0000000000000000-mapping.dmp

Download