wannacry | 01354b983b9fdd062a07bc81eba06d4ba422a04417577f61949f4cbfef767777

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bdd9c4ee845c748d53c9ceb87bb1552.dll
Size

5.0MB
MD5

5bdd9c4ee845c748d53c9ceb87bb1552
SHA1

6363c1c24ceae061fe847d470ad6a57df65eecbf
SHA256

01354b983b9fdd062a07bc81eba06d4ba422a04417577f61949f4cbfef767777
SHA512

4e737e3b9db8a8506aab1eb9d2329d3ceb8ceba53e82be4e71ddbfb09303674b5c51cbba16751d85548f734e88b7bfcab6b89d1bac1947d4ede9496e27285772

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1340) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

892 mssecsvc.exe
1316 mssecsvc.exe
1272 tasksche.exe

pid	process
892	mssecsvc.exe
1316	mssecsvc.exe
1272	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 880 wrote to memory of 1032	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1032	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1032	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1032	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1032	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1032	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1032	880	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 892	1032	rundll32.exe	mssecsvc.exe
PID 1032 wrote to memory of 892	1032	rundll32.exe	mssecsvc.exe
PID 1032 wrote to memory of 892	1032	rundll32.exe	mssecsvc.exe
PID 1032 wrote to memory of 892	1032	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bdd9c4ee845c748d53c9ceb87bb1552.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bdd9c4ee845c748d53c9ceb87bb1552.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1032

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:892

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1272

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
e4ef070dfda1d4e450ab4e265dea180b

SHA1
389470aed220164ea7bed86f26f29257927024e0

SHA256
23859f861f1e598a86208b5e0f953d27797b6375ab510a11217a15d046af94fc

SHA512
04e3c200b5f4f5c05c88a3325f1af049b3666b2583fa37b3a052c9faf48c8e51ba035ae8b23259e8eaa02db5f64d47639532f247a3ff5a13a0a6943dfbf171e5

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e4ef070dfda1d4e450ab4e265dea180b

SHA1
389470aed220164ea7bed86f26f29257927024e0

SHA256
23859f861f1e598a86208b5e0f953d27797b6375ab510a11217a15d046af94fc

SHA512
04e3c200b5f4f5c05c88a3325f1af049b3666b2583fa37b3a052c9faf48c8e51ba035ae8b23259e8eaa02db5f64d47639532f247a3ff5a13a0a6943dfbf171e5

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e4ef070dfda1d4e450ab4e265dea180b

SHA1
389470aed220164ea7bed86f26f29257927024e0

SHA256
23859f861f1e598a86208b5e0f953d27797b6375ab510a11217a15d046af94fc

SHA512
04e3c200b5f4f5c05c88a3325f1af049b3666b2583fa37b3a052c9faf48c8e51ba035ae8b23259e8eaa02db5f64d47639532f247a3ff5a13a0a6943dfbf171e5

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
512093b85c83e87660d166d86df3afa4

SHA1
5003859020e4b750412d954b0473e35804510fde

SHA256
3b4a2069539a79d05fe257956560b8a6d7f27041c6d18cf5351bc3c2b8e21945

SHA512
69a0551e2e05befccf82f2f3a7b219990ec05a386980a8c1215c2760753252c8a8e35a79bb1573dcf21ef61669ceecb9cf3594bd64f6b10077b3378dfd1b34ba

Download Submit
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/1032-54-0x0000000000000000-mapping.dmp

Download
memory/1032-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download