wannacry | 3db99d9bdf316d6f945c59db3ff53b71354c5c2080ee78ae39b61a03a2c1c52e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdc06e09bd0d4683eae51940922c325d.dll
Size

5.0MB
MD5

fdc06e09bd0d4683eae51940922c325d
SHA1

a55f954ada5ddb7faf4ec3db3ea3a7b7416325fd
SHA256

3db99d9bdf316d6f945c59db3ff53b71354c5c2080ee78ae39b61a03a2c1c52e
SHA512

036075ebd79a14a07e0a260c7d3e4cef425dcf5a84c9d7193f9dcc23227945b5914f0864fc72db6e445d296f65125926749eb256a99ee05fc28ba4105d1c6182

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3223) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3436 mssecsvc.exe
3528 mssecsvc.exe
4016 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3436	mssecsvc.exe
3528	mssecsvc.exe
4016	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3044 wrote to memory of 4116	3044	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 4116	3044	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 4116	3044	rundll32.exe	rundll32.exe
PID 4116 wrote to memory of 3436	4116	rundll32.exe	mssecsvc.exe
PID 4116 wrote to memory of 3436	4116	rundll32.exe	mssecsvc.exe
PID 4116 wrote to memory of 3436	4116	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fdc06e09bd0d4683eae51940922c325d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fdc06e09bd0d4683eae51940922c325d.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4116

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3436

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4016

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
3ebba136ed968ee57159e02ca64ecea4

SHA1
4d103665c6e8cd78994b09c3e6e623fb5a09055c

SHA256
d974b041dbf10b67eb032b82fa5bdc9e67f463884ca2df479691b6e2cf72143f

SHA512
27003a0067312b8b566dc517f7452ad3e8d6a2ea82c5c8e282e853b69660ada6eb89000de3f4a3a14accae1ab2c74c9984e80c45e0817ead6753f68705531820

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
3ebba136ed968ee57159e02ca64ecea4

SHA1
4d103665c6e8cd78994b09c3e6e623fb5a09055c

SHA256
d974b041dbf10b67eb032b82fa5bdc9e67f463884ca2df479691b6e2cf72143f

SHA512
27003a0067312b8b566dc517f7452ad3e8d6a2ea82c5c8e282e853b69660ada6eb89000de3f4a3a14accae1ab2c74c9984e80c45e0817ead6753f68705531820

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
3ebba136ed968ee57159e02ca64ecea4

SHA1
4d103665c6e8cd78994b09c3e6e623fb5a09055c

SHA256
d974b041dbf10b67eb032b82fa5bdc9e67f463884ca2df479691b6e2cf72143f

SHA512
27003a0067312b8b566dc517f7452ad3e8d6a2ea82c5c8e282e853b69660ada6eb89000de3f4a3a14accae1ab2c74c9984e80c45e0817ead6753f68705531820

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
eba622d9c8473e1542b3c611252f9332

SHA1
5f121b16ffa3ce1282e9dc8c59df7a4756b2165d

SHA256
b53ebec134709bd98664413ca16702068dd07312e2d61dfbf5a09ca704164998

SHA512
76e5d39cf6dd472abd89a857452e7885d352517e5b27ed3ed0d6811d34f2f60bd9cdbb0ed4a8b9cc9f71db65c8c51c7c8e8db0a7899aaf2a1240113de23b9618

Download Submit
memory/3436-131-0x0000000000000000-mapping.dmp

Download
memory/4116-130-0x0000000000000000-mapping.dmp

Download