wannacry | 580f6e9fdbfd5f1fbb439573dd21ef1b56ce227f66ad3c8364c3c553a04e6686

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7835ea6ac1cd6702bb50ea57fd598716.dll
Size

5.0MB
MD5

7835ea6ac1cd6702bb50ea57fd598716
SHA1

36aea0d627d0d7d2ee8d4d1ca931d4ea8cf290d8
SHA256

580f6e9fdbfd5f1fbb439573dd21ef1b56ce227f66ad3c8364c3c553a04e6686
SHA512

7feb8ea65efa5c9924ef17672880d31cc652d878e49ad3da3a4c29b4b79685e1d328072a9d32d6d2a7e3b734e2f3b231e287b7254e4d3d8ba020c9f2a556388f

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3211) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

3996 mssecsvc.exe
4568 mssecsvc.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3996	mssecsvc.exe
4568	mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4268 wrote to memory of 816	4268	rundll32.exe	rundll32.exe
PID 4268 wrote to memory of 816	4268	rundll32.exe	rundll32.exe
PID 4268 wrote to memory of 816	4268	rundll32.exe	rundll32.exe
PID 816 wrote to memory of 3996	816	rundll32.exe	mssecsvc.exe
PID 816 wrote to memory of 3996	816	rundll32.exe	mssecsvc.exe
PID 816 wrote to memory of 3996	816	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7835ea6ac1cd6702bb50ea57fd598716.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7835ea6ac1cd6702bb50ea57fd598716.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:816

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3996

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
22550629ee04ba197cc47236edd51a24

SHA1
238f14a6f1fbfc1340e22bf01590dc4fd7686d04

SHA256
084088b524fdde60e4d46aa68714c095bc80a1134bfa6f613beccc7c332451ed

SHA512
9575fb1e07f631fb3856884e737a44733bfc71e0d1cc36bf6e09208addd286d2bf35dcbe063142c947ea87d5995ca5b1a423cfaa5dff6e6e5711a86f914ff88b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
22550629ee04ba197cc47236edd51a24

SHA1
238f14a6f1fbfc1340e22bf01590dc4fd7686d04

SHA256
084088b524fdde60e4d46aa68714c095bc80a1134bfa6f613beccc7c332451ed

SHA512
9575fb1e07f631fb3856884e737a44733bfc71e0d1cc36bf6e09208addd286d2bf35dcbe063142c947ea87d5995ca5b1a423cfaa5dff6e6e5711a86f914ff88b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
22550629ee04ba197cc47236edd51a24

SHA1
238f14a6f1fbfc1340e22bf01590dc4fd7686d04

SHA256
084088b524fdde60e4d46aa68714c095bc80a1134bfa6f613beccc7c332451ed

SHA512
9575fb1e07f631fb3856884e737a44733bfc71e0d1cc36bf6e09208addd286d2bf35dcbe063142c947ea87d5995ca5b1a423cfaa5dff6e6e5711a86f914ff88b

Download Submit
memory/816-130-0x0000000000000000-mapping.dmp

Download
memory/3996-131-0x0000000000000000-mapping.dmp

Download
memory/3996-134-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/3996-137-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/4568-136-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/4568-138-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download