wannacry | 77e12c008e54a0bae4ef671851646d046c8bd5cac7be9c4d51a1c6826c4e39d1

Analysis

max time kernel
163s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a887a2a64f99c94907f4c002c71a8890.dll
Size

5.0MB
MD5

a887a2a64f99c94907f4c002c71a8890
SHA1

c6da5fe8653fc1a3bc3f13e1cbfa13eb58072e44
SHA256

77e12c008e54a0bae4ef671851646d046c8bd5cac7be9c4d51a1c6826c4e39d1
SHA512

db1f7d28c041e001ab502a2d4f518df6ab1dd05e6b2d70384e6679f33ab9d1308be62424a4dfab395295bda2c809526755311ad856c0a8b9976662363f7bd62b

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3604 mssecsvc.exe
4484 mssecsvc.exe
3760 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
3604	mssecsvc.exe
4484	mssecsvc.exe
3760	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3220 wrote to memory of 4736	3220	rundll32.exe	rundll32.exe
PID 3220 wrote to memory of 4736	3220	rundll32.exe	rundll32.exe
PID 3220 wrote to memory of 4736	3220	rundll32.exe	rundll32.exe
PID 4736 wrote to memory of 3604	4736	rundll32.exe	mssecsvc.exe
PID 4736 wrote to memory of 3604	4736	rundll32.exe	mssecsvc.exe
PID 4736 wrote to memory of 3604	4736	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a887a2a64f99c94907f4c002c71a8890.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a887a2a64f99c94907f4c002c71a8890.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4736

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3604

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3760

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
d2b4be294de6e71e3790aee24c8566fa

SHA1
f46223ca3f29226d092811c7b8422eb61d97e646

SHA256
e4e606677dea03368a3a73036f6761c9dd4e70f0768c65a0a5af442859cb57db

SHA512
145b3ae3d29189eb5e1cce2e60215d4c27c6ae2e9fd25fbd3ed7013642982e07e300c5e1c73904050df4237e5209b2a2a222df78285453a2d93a703dfa6da90a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d2b4be294de6e71e3790aee24c8566fa

SHA1
f46223ca3f29226d092811c7b8422eb61d97e646

SHA256
e4e606677dea03368a3a73036f6761c9dd4e70f0768c65a0a5af442859cb57db

SHA512
145b3ae3d29189eb5e1cce2e60215d4c27c6ae2e9fd25fbd3ed7013642982e07e300c5e1c73904050df4237e5209b2a2a222df78285453a2d93a703dfa6da90a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d2b4be294de6e71e3790aee24c8566fa

SHA1
f46223ca3f29226d092811c7b8422eb61d97e646

SHA256
e4e606677dea03368a3a73036f6761c9dd4e70f0768c65a0a5af442859cb57db

SHA512
145b3ae3d29189eb5e1cce2e60215d4c27c6ae2e9fd25fbd3ed7013642982e07e300c5e1c73904050df4237e5209b2a2a222df78285453a2d93a703dfa6da90a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
63f5eea6935e0f325865258c68e4a5c6

SHA1
1e3a257405de49f6e5e8114a02ac671dee1bc218

SHA256
a1c3d00cbc804b0af9084d8ba2777570655e526206653f65965c17d2fc829c37

SHA512
04d705455c347a38cd857c98accfab41d1e06c12a358387d5de125bb4dfcb357ebc6b0a0e04a4d6922db1b89407dcf2e647d53ea7c74aca66316a18a5b18e346

Download Submit
memory/3604-131-0x0000000000000000-mapping.dmp

Download
memory/4736-130-0x0000000000000000-mapping.dmp

Download