wannacry | 20f3289d1af36f3017c94a2fa2485707ae2d8c0e5159f287761b68c5c275d82f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7d34dcaf52c8e815649c20826a9db19.dll
Size

5.0MB
MD5

e7d34dcaf52c8e815649c20826a9db19
SHA1

d7385a7ee07704bd48b39dfcc925f7a9013c8e47
SHA256

20f3289d1af36f3017c94a2fa2485707ae2d8c0e5159f287761b68c5c275d82f
SHA512

47abed504848334db20ac6d13111ebb19af2c038ccf5bae0acf6700e24ab3ee6ab841e0b790d7da576448649e5df7c15f1bd6ef515b2005eea9a7d71db6a64e1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3104) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3792 mssecsvc.exe
4908 mssecsvc.exe
4400 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3792	mssecsvc.exe
4908	mssecsvc.exe
4400	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 460 wrote to memory of 4656	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 4656	460	rundll32.exe	rundll32.exe
PID 460 wrote to memory of 4656	460	rundll32.exe	rundll32.exe
PID 4656 wrote to memory of 3792	4656	rundll32.exe	mssecsvc.exe
PID 4656 wrote to memory of 3792	4656	rundll32.exe	mssecsvc.exe
PID 4656 wrote to memory of 3792	4656	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7d34dcaf52c8e815649c20826a9db19.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e7d34dcaf52c8e815649c20826a9db19.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4656

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3792

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4400

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
12352a4c133aea766b92316745491372

SHA1
312b4a72998344757f7f3001eb78e8ac86263240

SHA256
7b4ff05059a3557982c9f79a3ed5d362ee7516ff2b97c28e3f371a69718d64d0

SHA512
0d91d20d34675c2e5d2d0909b7b88c324fd394405c65070069e96fcb190f571a8035ce87f5cc0e22947621be0652e3638374c5c8f72939d95e3619a90d0baf39

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
12352a4c133aea766b92316745491372

SHA1
312b4a72998344757f7f3001eb78e8ac86263240

SHA256
7b4ff05059a3557982c9f79a3ed5d362ee7516ff2b97c28e3f371a69718d64d0

SHA512
0d91d20d34675c2e5d2d0909b7b88c324fd394405c65070069e96fcb190f571a8035ce87f5cc0e22947621be0652e3638374c5c8f72939d95e3619a90d0baf39

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
12352a4c133aea766b92316745491372

SHA1
312b4a72998344757f7f3001eb78e8ac86263240

SHA256
7b4ff05059a3557982c9f79a3ed5d362ee7516ff2b97c28e3f371a69718d64d0

SHA512
0d91d20d34675c2e5d2d0909b7b88c324fd394405c65070069e96fcb190f571a8035ce87f5cc0e22947621be0652e3638374c5c8f72939d95e3619a90d0baf39

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
0973d939cc82d272c530ad5f4c97a429

SHA1
fe154b3a193495a77f213691cd6e1b515605dfc4

SHA256
b07d69c48ff86cc4efafe2ea42ac0b5d5971233f92de7325459fd6b4256fcfe0

SHA512
6e80c968758853cfd7c10502095958eac89cae2bdde9cee297ed060554669029c8f8bf4364ee0a5f3e239f898d9a87848627b86adb1d14c59754743577d88ffe

Download Submit
memory/3792-131-0x0000000000000000-mapping.dmp

Download
memory/3792-135-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/3792-138-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/4656-130-0x0000000000000000-mapping.dmp

Download
memory/4908-137-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/4908-139-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download