wannacry | 55232d804aa5343e8247164b7d0b000ad5600437ab3a4314f35782e84abdeee5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7aaf623771619d8fa6ad2f4cbe119d0.dll
Size

5.0MB
MD5

a7aaf623771619d8fa6ad2f4cbe119d0
SHA1

6fe61fd0720ce969d5c3067d9ac46c014548167e
SHA256

55232d804aa5343e8247164b7d0b000ad5600437ab3a4314f35782e84abdeee5
SHA512

4f8311f09539c4fc0b588e667d8b3b5a6f57f16eb1c7862c249aa15cecef7c53a26a6163cece97b5da6f4a21779939aa6a1bf533dd9959e4b58970c7aaa6517f

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2601) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3512 mssecsvc.exe
3824 mssecsvc.exe
2592 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3512	mssecsvc.exe
3824	mssecsvc.exe
2592	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2388 wrote to memory of 1164	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 1164	2388	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 1164	2388	rundll32.exe	rundll32.exe
PID 1164 wrote to memory of 3512	1164	rundll32.exe	mssecsvc.exe
PID 1164 wrote to memory of 3512	1164	rundll32.exe	mssecsvc.exe
PID 1164 wrote to memory of 3512	1164	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7aaf623771619d8fa6ad2f4cbe119d0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7aaf623771619d8fa6ad2f4cbe119d0.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1164

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3512

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2592

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
d3be19db91d0b09b01c79f3ca4b0a5a6

SHA1
3494b7ed07b5342c282591244ab27013121ef40b

SHA256
53421bca7e187e9e3c6ba751c0986918e04cd34299a8d610447fa6b7ec24281b

SHA512
b5f9775513a91d1914ea6fa5c54b9095cfe23a73556d4b22789b69054e6ce97dcbd49fcbc584fa759d836b97c7b29cfc78bd28fd3031373447efd7138a065dc0

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d3be19db91d0b09b01c79f3ca4b0a5a6

SHA1
3494b7ed07b5342c282591244ab27013121ef40b

SHA256
53421bca7e187e9e3c6ba751c0986918e04cd34299a8d610447fa6b7ec24281b

SHA512
b5f9775513a91d1914ea6fa5c54b9095cfe23a73556d4b22789b69054e6ce97dcbd49fcbc584fa759d836b97c7b29cfc78bd28fd3031373447efd7138a065dc0

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d3be19db91d0b09b01c79f3ca4b0a5a6

SHA1
3494b7ed07b5342c282591244ab27013121ef40b

SHA256
53421bca7e187e9e3c6ba751c0986918e04cd34299a8d610447fa6b7ec24281b

SHA512
b5f9775513a91d1914ea6fa5c54b9095cfe23a73556d4b22789b69054e6ce97dcbd49fcbc584fa759d836b97c7b29cfc78bd28fd3031373447efd7138a065dc0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
31165000c5ef31d89c39a7cc1a7d08f0

SHA1
ea7518610f29c524ae49b4bab97524e76b0ebe3f

SHA256
cc3128647df24a9d506884d9929fee707dc4ee68b6b3d5bb3def9c98d435a83a

SHA512
ebbf5d84a0f1792b0cc877b08dddb38042054a387eb5e9dd85b039e6b7c04727d81ba0506763584a1edfca660133de955206cebf30588de6fd6a8ac8e5c843b3

Download Submit
memory/1164-130-0x0000000000000000-mapping.dmp

Download
memory/3512-131-0x0000000000000000-mapping.dmp

Download