wannacry | 0ef3e12c837bd305c71966452aa170f20d4c3756a13308935a984e82bb76cc8b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:24

Target

df700ef9aeaee03255fb66a57c2609c7.dll
Size

5.0MB
MD5

df700ef9aeaee03255fb66a57c2609c7
SHA1

7400dbe5c6542ab39b442a8b980eb3927a4b26b9
SHA256

0ef3e12c837bd305c71966452aa170f20d4c3756a13308935a984e82bb76cc8b
SHA512

6d55f68e014fd00cf4c745c1929748c79132ac40668c52a199a7d8dffbdd589e9d0dad0c44816e918d52b43e0b25c47ce9c4adcc2219e230ee14ec1165a59d0a

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

3984 mssecsvr.exe
1944 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
3984	mssecsvr.exe
1944	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4692 wrote to memory of 1908	4692	rundll32.exe	rundll32.exe
PID 4692 wrote to memory of 1908	4692	rundll32.exe	rundll32.exe
PID 4692 wrote to memory of 1908	4692	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 3984	1908	rundll32.exe	mssecsvr.exe
PID 1908 wrote to memory of 3984	1908	rundll32.exe	mssecsvr.exe
PID 1908 wrote to memory of 3984	1908	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\df700ef9aeaee03255fb66a57c2609c7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4692

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
5d0f350460081add5700df70e7e1646e

SHA1
eac3fe1e24fffec1c263127f91e20a738960129e

SHA256
f229f1a829852b1a49d7a9e9d620721824deeca6f27d0a2963c4058c8d6bc0a6

SHA512
c4655fcad6e65aea581b7e80248f57f092d7c2cb0e8dbb9befd73185f2de8fcfa8dddc1eb56042e1f32bb3f56ebe7464ce0ce681e7b497ebaaa29cd8e71a1931

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
5d0f350460081add5700df70e7e1646e

SHA1
eac3fe1e24fffec1c263127f91e20a738960129e

SHA256
f229f1a829852b1a49d7a9e9d620721824deeca6f27d0a2963c4058c8d6bc0a6

SHA512
c4655fcad6e65aea581b7e80248f57f092d7c2cb0e8dbb9befd73185f2de8fcfa8dddc1eb56042e1f32bb3f56ebe7464ce0ce681e7b497ebaaa29cd8e71a1931

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
5d0f350460081add5700df70e7e1646e

SHA1
eac3fe1e24fffec1c263127f91e20a738960129e

SHA256
f229f1a829852b1a49d7a9e9d620721824deeca6f27d0a2963c4058c8d6bc0a6

SHA512
c4655fcad6e65aea581b7e80248f57f092d7c2cb0e8dbb9befd73185f2de8fcfa8dddc1eb56042e1f32bb3f56ebe7464ce0ce681e7b497ebaaa29cd8e71a1931

Download Submit
memory/1908-130-0x0000000000000000-mapping.dmp

Download
memory/3984-131-0x0000000000000000-mapping.dmp

Download