wannacry | 0b6e9d6b978adda20feed22f0be3a01ad87e5a73aac915a0a8cb8d9837863701

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28e2252bcdfe3239f1db3759e80e9ad0.dll
Size

5.0MB
MD5

28e2252bcdfe3239f1db3759e80e9ad0
SHA1

a24337038589cc514d08fd43beb66fb5d33ea32d
SHA256

0b6e9d6b978adda20feed22f0be3a01ad87e5a73aac915a0a8cb8d9837863701
SHA512

0aee17fda834f85cf1683869a29a3d0b797df5e817f3a5109cc1472e95601c8400e097506319c5ac51bc35b0d9105c2eca0a26e4c69bdd928b83f6035c583c7b

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1311) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1820 mssecsvc.exe
1232 mssecsvc.exe
1980 tasksche.exe

pid	process
1820	mssecsvc.exe
1232	mssecsvc.exe
1980	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1432 wrote to memory of 1532	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1532	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1532	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1532	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1532	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1532	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 1532	1432	rundll32.exe	rundll32.exe
PID 1532 wrote to memory of 1820	1532	rundll32.exe	mssecsvc.exe
PID 1532 wrote to memory of 1820	1532	rundll32.exe	mssecsvc.exe
PID 1532 wrote to memory of 1820	1532	rundll32.exe	mssecsvc.exe
PID 1532 wrote to memory of 1820	1532	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28e2252bcdfe3239f1db3759e80e9ad0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28e2252bcdfe3239f1db3759e80e9ad0.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1532

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1820

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1980

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
e95af9f80a0938de263d0bd2a57ad6d6

SHA1
b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5

SHA256
28499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18

SHA512
3126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e95af9f80a0938de263d0bd2a57ad6d6

SHA1
b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5

SHA256
28499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18

SHA512
3126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e95af9f80a0938de263d0bd2a57ad6d6

SHA1
b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5

SHA256
28499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18

SHA512
3126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
00bc8d99be794121a7a3a2ad7501994e

SHA1
3c34dcddde8ff946e28df8ee2f4cb3bede39670f

SHA256
65214ab0eb6a0e410048c74e5f99ba3e75a500562a9e804a3096f65f9fa16257

SHA512
770ba1db33936f1471d8f331f725853ae1196aa2c589cfeaa107054d97674d485b44c4fd1edd34d4001f4037ade78fdd517fa12353a9982a859b182f23d3d400

Download Submit
memory/1532-54-0x0000000000000000-mapping.dmp

Download
memory/1532-55-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1820-56-0x0000000000000000-mapping.dmp

Download