wannacry | 5ff3670dc706430739e4ab20f8777d5ac3ace433bb0783b038fe8f9aaa2af461

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1e3bb77d27f27e98a33a21d16f35dde.dll
Size

5.0MB
MD5

d1e3bb77d27f27e98a33a21d16f35dde
SHA1

a00abd82ed0a4f90c4525692f20b8f64954263d8
SHA256

5ff3670dc706430739e4ab20f8777d5ac3ace433bb0783b038fe8f9aaa2af461
SHA512

f7f8fdc2afc776a9fecce2cf4999afcc3a89c9ec5fc7b33e589b8286419ff5f8cf4a5f4db2c2bab60fa55ca771b72b7f4c791c31b345c7a074409c8b6e4565a8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4916 mssecsvc.exe
4496 mssecsvc.exe
4192 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4916	mssecsvc.exe
4496	mssecsvc.exe
4192	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4880 wrote to memory of 2700	4880	rundll32.exe	rundll32.exe
PID 4880 wrote to memory of 2700	4880	rundll32.exe	rundll32.exe
PID 4880 wrote to memory of 2700	4880	rundll32.exe	rundll32.exe
PID 2700 wrote to memory of 4916	2700	rundll32.exe	mssecsvc.exe
PID 2700 wrote to memory of 4916	2700	rundll32.exe	mssecsvc.exe
PID 2700 wrote to memory of 4916	2700	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d1e3bb77d27f27e98a33a21d16f35dde.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d1e3bb77d27f27e98a33a21d16f35dde.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2700

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4916

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4192

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
5ba925494b73756d097e80120e2f8643

SHA1
94802dd4290fb1a754d4e528b9b17f8cede48684

SHA256
0dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351

SHA512
791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5ba925494b73756d097e80120e2f8643

SHA1
94802dd4290fb1a754d4e528b9b17f8cede48684

SHA256
0dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351

SHA512
791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5ba925494b73756d097e80120e2f8643

SHA1
94802dd4290fb1a754d4e528b9b17f8cede48684

SHA256
0dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351

SHA512
791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3b77b7c0b982d993043f011f53c197a3

SHA1
c61468cd39a074654adba2081bf5889ef68887b4

SHA256
5d84cf9769c5820e7932497ed6a333c7df27ad01329884059418970af0918653

SHA512
680b0aceeb9204beb325a2fef8f536d36bad08dfded92d70b6ec0f3a4ae884b73a78fd764883b1210963711ad1d86a9f87646e7410e2f4678fc862f4f9344867

Download Submit
memory/2700-130-0x0000000000000000-mapping.dmp

Download
memory/4916-131-0x0000000000000000-mapping.dmp

Download