wannacry | 7693af2f8fc81803bbe1b70d1e961fc6e4bcd6ac5388df003d0996d5f16fc312

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db8a92bfdf04eefe5e3a03c6f10d4a0.dll
Size

5.0MB
MD5

1db8a92bfdf04eefe5e3a03c6f10d4a0
SHA1

a4c4f2cee7865dad9b589c9767884f6fd244139f
SHA256

7693af2f8fc81803bbe1b70d1e961fc6e4bcd6ac5388df003d0996d5f16fc312
SHA512

1d04ceb7775f99f383ebf81b54ea2132d6c1e0ee9947730792232d7a085711c84d5456b06320f705567dfc5dd4c6e306289caf2f3efe1dd18326c661b93f9f44

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2276 mssecsvc.exe
4396 mssecsvc.exe
4036 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
2276	mssecsvc.exe
4396	mssecsvc.exe
4036	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4560 wrote to memory of 656	4560	rundll32.exe	rundll32.exe
PID 4560 wrote to memory of 656	4560	rundll32.exe	rundll32.exe
PID 4560 wrote to memory of 656	4560	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 2276	656	rundll32.exe	mssecsvc.exe
PID 656 wrote to memory of 2276	656	rundll32.exe	mssecsvc.exe
PID 656 wrote to memory of 2276	656	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1db8a92bfdf04eefe5e3a03c6f10d4a0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1db8a92bfdf04eefe5e3a03c6f10d4a0.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:656

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2276

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4036

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
c3a8622bebb5560c3e069ba0d29dd9da

SHA1
86220e94df437d1524e31eb6938fa110c6afea59

SHA256
b9f36e556e35ab90c51d02a404676e65675e85ac1cfae2caf92327e0c0db83f7

SHA512
24b8bf4b52603a9dcd8f5bc975d9b8ee00d34428b0b7293a789504fb807124c03730368622152d5bab767d25a45b58d76b36f89ca70b4171c25fede063eb03fb

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
c3a8622bebb5560c3e069ba0d29dd9da

SHA1
86220e94df437d1524e31eb6938fa110c6afea59

SHA256
b9f36e556e35ab90c51d02a404676e65675e85ac1cfae2caf92327e0c0db83f7

SHA512
24b8bf4b52603a9dcd8f5bc975d9b8ee00d34428b0b7293a789504fb807124c03730368622152d5bab767d25a45b58d76b36f89ca70b4171c25fede063eb03fb

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
c3a8622bebb5560c3e069ba0d29dd9da

SHA1
86220e94df437d1524e31eb6938fa110c6afea59

SHA256
b9f36e556e35ab90c51d02a404676e65675e85ac1cfae2caf92327e0c0db83f7

SHA512
24b8bf4b52603a9dcd8f5bc975d9b8ee00d34428b0b7293a789504fb807124c03730368622152d5bab767d25a45b58d76b36f89ca70b4171c25fede063eb03fb

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
8ae55226b8317daa64f79b5fa1f1ca64

SHA1
e47767b66115ab4381f39217fa2a23baf7b24585

SHA256
c3803fdd7fe92e92b83e55e09815f507ef2c1863762befac168eec2a6be0787b

SHA512
67965e7360d4f88696a2a7309829c44bcbcfe0d4866ca87f0095a294070f2575004bad0817243022409256b784c0b53e310d48edc09cf0ace873a8885c74d45e

Download Submit
memory/656-130-0x0000000000000000-mapping.dmp

Download
memory/2276-131-0x0000000000000000-mapping.dmp

Download