wannacry | f2296230172c19e908b726e85bd9ac069f0b786718a28e066482dae2261ef5c2

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc8f2156c4945882116b8516359cc67.dll
Size

5.0MB
MD5

adc8f2156c4945882116b8516359cc67
SHA1

ba6e3dd3516b3d8a6742879fb7e86e6218a0cfcb
SHA256

f2296230172c19e908b726e85bd9ac069f0b786718a28e066482dae2261ef5c2
SHA512

a1530ab0cbc5ace2c7c870d461f7f23208d49af5ad47b483a9d0cf0a5fb2f36b99b7ddec42f8268a0b9505428b328c78c653665c304a30864d2c1e34c431599e

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3102) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4136 mssecsvc.exe
4336 mssecsvc.exe
4960 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4136	mssecsvc.exe
4336	mssecsvc.exe
4960	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4900 wrote to memory of 4552	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4552	4900	rundll32.exe	rundll32.exe
PID 4900 wrote to memory of 4552	4900	rundll32.exe	rundll32.exe
PID 4552 wrote to memory of 4136	4552	rundll32.exe	mssecsvc.exe
PID 4552 wrote to memory of 4136	4552	rundll32.exe	mssecsvc.exe
PID 4552 wrote to memory of 4136	4552	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\adc8f2156c4945882116b8516359cc67.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\adc8f2156c4945882116b8516359cc67.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4552

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4136

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4960

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
136b7c839471d10ae0debb739942f0df

SHA1
093046c7668fac352cc56ed12ae31b11d7867bca

SHA256
e6e69274e8c529f3030d269176c1ba3e8a4aaec75d096527034e1c0ce13f42af

SHA512
f7dbaedaf65ead6760f88d3261c4b12e19cdfdf000d3166fc4f2d7893812590d791a4156ff0f04d341a82d87a793a1b88263c0466805d7685943729367cb3a52

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
136b7c839471d10ae0debb739942f0df

SHA1
093046c7668fac352cc56ed12ae31b11d7867bca

SHA256
e6e69274e8c529f3030d269176c1ba3e8a4aaec75d096527034e1c0ce13f42af

SHA512
f7dbaedaf65ead6760f88d3261c4b12e19cdfdf000d3166fc4f2d7893812590d791a4156ff0f04d341a82d87a793a1b88263c0466805d7685943729367cb3a52

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
136b7c839471d10ae0debb739942f0df

SHA1
093046c7668fac352cc56ed12ae31b11d7867bca

SHA256
e6e69274e8c529f3030d269176c1ba3e8a4aaec75d096527034e1c0ce13f42af

SHA512
f7dbaedaf65ead6760f88d3261c4b12e19cdfdf000d3166fc4f2d7893812590d791a4156ff0f04d341a82d87a793a1b88263c0466805d7685943729367cb3a52

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
bfc5f9eab42f5010e039428a94783a2e

SHA1
d31d04474563147baba604abe22464234e31d5f9

SHA256
e5d5ffd0541d6504813b480bb30ec072c58db2feeaad2cf8925a125e399341b6

SHA512
f4ae0f31a9cfc70da17833321e6726093e58ee29e4380b1af2ea265ba80cd99bbacfc221a01e978c8c99c28eb8035609a80f502a371c93ab7921737f1bf2736c

Download Submit
memory/4136-131-0x0000000000000000-mapping.dmp

Download
memory/4552-130-0x0000000000000000-mapping.dmp

Download