wannacry | 5e1ed6dce864564ca3e35e411a9ac6573d649313f5fbb388bbbaba0ee65b8c34

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ad1977f214cd1c59c4f3139cb4acf6.dll
Size

5.0MB
MD5

24ad1977f214cd1c59c4f3139cb4acf6
SHA1

6dc758c9ab7ffd729eb03ab37e6be8c200997398
SHA256

5e1ed6dce864564ca3e35e411a9ac6573d649313f5fbb388bbbaba0ee65b8c34
SHA512

8c06ca0ed666b8814286b26509d025c5fdaadb271295cd220f568a2aceb8240b8723b6913a8344d1d89f9d8d67cc0b2ab1b849e67c998d330b9be910cad2628b

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3092) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4148 mssecsvc.exe
4940 mssecsvc.exe
3388 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
4148	mssecsvc.exe
4940	mssecsvc.exe
3388	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4844 wrote to memory of 4412	4844	rundll32.exe	rundll32.exe
PID 4844 wrote to memory of 4412	4844	rundll32.exe	rundll32.exe
PID 4844 wrote to memory of 4412	4844	rundll32.exe	rundll32.exe
PID 4412 wrote to memory of 4148	4412	rundll32.exe	mssecsvc.exe
PID 4412 wrote to memory of 4148	4412	rundll32.exe	mssecsvc.exe
PID 4412 wrote to memory of 4148	4412	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24ad1977f214cd1c59c4f3139cb4acf6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24ad1977f214cd1c59c4f3139cb4acf6.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4148

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3388

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
323ac2851e6d5cc9a2cc17cb12297f09

SHA1
29d91ff2102a80190921642ab8380b6387565b44

SHA256
8db80d15b93b34bd34dbb808af6d1a28f1f6b44eca6187c62a1e3ac3fd36a7ff

SHA512
a9f738d027d7641619a27dda44ab26d23a1d318850db077ae5b2b6370ab48c3007477f8928b9fa0a5ca09d9312abd99063b69d08964ea56d655a636dbb267e42

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
323ac2851e6d5cc9a2cc17cb12297f09

SHA1
29d91ff2102a80190921642ab8380b6387565b44

SHA256
8db80d15b93b34bd34dbb808af6d1a28f1f6b44eca6187c62a1e3ac3fd36a7ff

SHA512
a9f738d027d7641619a27dda44ab26d23a1d318850db077ae5b2b6370ab48c3007477f8928b9fa0a5ca09d9312abd99063b69d08964ea56d655a636dbb267e42

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
323ac2851e6d5cc9a2cc17cb12297f09

SHA1
29d91ff2102a80190921642ab8380b6387565b44

SHA256
8db80d15b93b34bd34dbb808af6d1a28f1f6b44eca6187c62a1e3ac3fd36a7ff

SHA512
a9f738d027d7641619a27dda44ab26d23a1d318850db077ae5b2b6370ab48c3007477f8928b9fa0a5ca09d9312abd99063b69d08964ea56d655a636dbb267e42

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
348ae3f6c0c9791f80c2d323dcfb4766

SHA1
1e44f5909ad6a0fa8efcdf7bcfcf827f59250638

SHA256
68d05985a480d90e74a4fd2f189b8b78b8fd8432226d24b553695aff751e2018

SHA512
af5a2b157c7637bd8e4a0accd800355c354ddf347d7ce3e1c13363178d2a75ccf4ac588a1f44f7a475d1e207961bd0d6fa640e847852315a6681fab4ae070ae1

Download Submit
memory/4148-131-0x0000000000000000-mapping.dmp

Download
memory/4412-130-0x0000000000000000-mapping.dmp

Download