wannacry | f72d753cc258c7db1afff98235715b9b0824550009dc63090593ce078793ee84

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a37575f6c05279836ea85b8b4a3bd9bf.dll
Size

5.0MB
MD5

a37575f6c05279836ea85b8b4a3bd9bf
SHA1

cc9df61a7a5b1793bd1df43b97fb3227f0efac5d
SHA256

f72d753cc258c7db1afff98235715b9b0824550009dc63090593ce078793ee84
SHA512

64a3e3077fc7112c3d04deb876bcf22291be1f3f5bb0fd2a3bc1c359acf73460944fe7762cc1013527ed02b3613d607cbb681eeb6b417bf7d306d2602c867257

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2228 mssecsvc.exe
3436 mssecsvc.exe
4332 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2228	mssecsvc.exe
3436	mssecsvc.exe
4332	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1120 wrote to memory of 1376	1120	rundll32.exe	rundll32.exe
PID 1120 wrote to memory of 1376	1120	rundll32.exe	rundll32.exe
PID 1120 wrote to memory of 1376	1120	rundll32.exe	rundll32.exe
PID 1376 wrote to memory of 2228	1376	rundll32.exe	mssecsvc.exe
PID 1376 wrote to memory of 2228	1376	rundll32.exe	mssecsvc.exe
PID 1376 wrote to memory of 2228	1376	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a37575f6c05279836ea85b8b4a3bd9bf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a37575f6c05279836ea85b8b4a3bd9bf.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1376

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2228

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4332

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
cc84aa24c70fccff015245e1869ee303

SHA1
61995e9dfb9498bd25eae1b89f164bf13c916226

SHA256
69981afd3830dedfbb88cd8d455fd5da827bf19ca43f2b98bfabba5782f77116

SHA512
bcc32dc3e842327b9ec0b8595e55e5e5e3c4c12ea619ad13b025e4ed0d93e2623e69409a3907d698902953d8c0a8197a68a449e142677b0cb07543bb73f6e87b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
cc84aa24c70fccff015245e1869ee303

SHA1
61995e9dfb9498bd25eae1b89f164bf13c916226

SHA256
69981afd3830dedfbb88cd8d455fd5da827bf19ca43f2b98bfabba5782f77116

SHA512
bcc32dc3e842327b9ec0b8595e55e5e5e3c4c12ea619ad13b025e4ed0d93e2623e69409a3907d698902953d8c0a8197a68a449e142677b0cb07543bb73f6e87b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
cc84aa24c70fccff015245e1869ee303

SHA1
61995e9dfb9498bd25eae1b89f164bf13c916226

SHA256
69981afd3830dedfbb88cd8d455fd5da827bf19ca43f2b98bfabba5782f77116

SHA512
bcc32dc3e842327b9ec0b8595e55e5e5e3c4c12ea619ad13b025e4ed0d93e2623e69409a3907d698902953d8c0a8197a68a449e142677b0cb07543bb73f6e87b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
136381d43e5f843573a4af4e5bd7e299

SHA1
33e06cb688675503f5c28f9a08315b917eb2fbcf

SHA256
4aa536befc581d2e2de8300ba184f287734d7269d5319e33574be3670c10d118

SHA512
bce01deebc21faa592b8acf8e2bca215033d419cbb1d292ab6ad400dacd2d32c51125c53182f44dfb1dc9ab0af515e4093df74e739428fbca963c758d2c343fa

Download Submit
memory/1376-130-0x0000000000000000-mapping.dmp

Download
memory/2228-131-0x0000000000000000-mapping.dmp

Download