wannacry | 72f7e4e984d7b866d04d110d62ace0743f7229cd34889f5189cff9bb83084b9e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbf9df803879eb3ca21ac1b623185b5d.dll
Size

5.0MB
MD5

bbf9df803879eb3ca21ac1b623185b5d
SHA1

f8798ff9b0d4f0205ce2b2c5d8a310689e131736
SHA256

72f7e4e984d7b866d04d110d62ace0743f7229cd34889f5189cff9bb83084b9e
SHA512

fc3e5ffd426a277e7f5c48514cccbb36266811751c54ae10600095355cb27f32e70700b33f3b107509349cdb6c29a4e5279f1f9398dc9edda54599270fc2a522

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2686) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1972 mssecsvc.exe
2412 mssecsvc.exe
4036 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1972	mssecsvc.exe
2412	mssecsvc.exe
4036	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1680 wrote to memory of 5032	1680	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 5032	1680	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 5032	1680	rundll32.exe	rundll32.exe
PID 5032 wrote to memory of 1972	5032	rundll32.exe	mssecsvc.exe
PID 5032 wrote to memory of 1972	5032	rundll32.exe	mssecsvc.exe
PID 5032 wrote to memory of 1972	5032	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbf9df803879eb3ca21ac1b623185b5d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbf9df803879eb3ca21ac1b623185b5d.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5032

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1972

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4036

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
404ed449b2e6c758ae005323470d3d6b

SHA1
5acc4178a2dba745555d71e3e8b17a48eef61e69

SHA256
3551641e8dcb505145d98214daf8a70858088da67ad15f862fcc37d099abc72b

SHA512
96340935fa7912fdcaca3d072557c1d8cd60662ed08fd906f4818d698a24ee8b3c59bdc722e3849ce51037e1e67267de1a9db915ad9307c630e232d88bf2169c

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
404ed449b2e6c758ae005323470d3d6b

SHA1
5acc4178a2dba745555d71e3e8b17a48eef61e69

SHA256
3551641e8dcb505145d98214daf8a70858088da67ad15f862fcc37d099abc72b

SHA512
96340935fa7912fdcaca3d072557c1d8cd60662ed08fd906f4818d698a24ee8b3c59bdc722e3849ce51037e1e67267de1a9db915ad9307c630e232d88bf2169c

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
404ed449b2e6c758ae005323470d3d6b

SHA1
5acc4178a2dba745555d71e3e8b17a48eef61e69

SHA256
3551641e8dcb505145d98214daf8a70858088da67ad15f862fcc37d099abc72b

SHA512
96340935fa7912fdcaca3d072557c1d8cd60662ed08fd906f4818d698a24ee8b3c59bdc722e3849ce51037e1e67267de1a9db915ad9307c630e232d88bf2169c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
fab4b9c83e6cec59aacc65a149ee6528

SHA1
9854923a1d121037ada38031337b0f6576a7b2b0

SHA256
6bb133db6ad270a180724bb1a726d1004cff6cf19fb2c33cb0cb6dc727bd18e1

SHA512
a14f605f1c01a4fac911b2cea74c7faaef7061bb4c34313153a569257b01f667828546bbbbcc4f7ad079375140caac418d58314102d802441bec8f6d87cd14c2

Download Submit
memory/1972-131-0x0000000000000000-mapping.dmp

Download
memory/5032-130-0x0000000000000000-mapping.dmp

Download