wannacry | 0317f30f3b8872da8b3e2504ffd20e98d269b5d3a9d5bea9babb9684c8a02a8f

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b34cfe3ec07b73d508edda28e3ffffe.dll
Size

5.0MB
MD5

3b34cfe3ec07b73d508edda28e3ffffe
SHA1

43c6934d1895680d366a38741a9f1e6d0ac64682
SHA256

0317f30f3b8872da8b3e2504ffd20e98d269b5d3a9d5bea9babb9684c8a02a8f
SHA512

64d7155577a24495667fcbb75daa38d7e260ef5dfcc1bc4ad3ffebefecbeb617f6e645c0e8e4c6971cf89994e29a84f9cb864b49564b78950d9653202900639d

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1568) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1560 mssecsvc.exe
1520 mssecsvc.exe
840 tasksche.exe

pid	process
1560	mssecsvc.exe
1520	mssecsvc.exe
840	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b34cfe3ec07b73d508edda28e3ffffe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b34cfe3ec07b73d508edda28e3ffffe.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1560

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:840

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
8ba4029caaa6b5f9a2107ce9bf31efd9

SHA1
0486f02b9d4510ee5fe65160cf13ead4cb082bae

SHA256
307d98dd0ca9ed336203de0cefc559e18c8b3f648bc0899e161a0142428b47af

SHA512
12c7215947b362336c53c284c14b5a02c32417ae76f4d4486b00f4e72083af8fbfaa93dfa92345ae20e1b727a2a174d2d2800b06d547520562520e090720234c

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
8ba4029caaa6b5f9a2107ce9bf31efd9

SHA1
0486f02b9d4510ee5fe65160cf13ead4cb082bae

SHA256
307d98dd0ca9ed336203de0cefc559e18c8b3f648bc0899e161a0142428b47af

SHA512
12c7215947b362336c53c284c14b5a02c32417ae76f4d4486b00f4e72083af8fbfaa93dfa92345ae20e1b727a2a174d2d2800b06d547520562520e090720234c

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
8ba4029caaa6b5f9a2107ce9bf31efd9

SHA1
0486f02b9d4510ee5fe65160cf13ead4cb082bae

SHA256
307d98dd0ca9ed336203de0cefc559e18c8b3f648bc0899e161a0142428b47af

SHA512
12c7215947b362336c53c284c14b5a02c32417ae76f4d4486b00f4e72083af8fbfaa93dfa92345ae20e1b727a2a174d2d2800b06d547520562520e090720234c

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
74aed458a4f40f23b8ed56aa3ce02ab5

SHA1
d3b105938081f2ca00e94320cac00de8c6e53ea4

SHA256
679e0bdd9cc28348d29564a718ebcf58f99ea34752ee0938711aae98bd9643a3

SHA512
e550fb6e302ef564014e9f928c10fa0837c5dd045cf6dad51f7ea611a80399c8372542d11153374751fd959314a156168576ec5b529f8c7aece777a775a1b9f2

Download Submit
memory/1560-56-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000000000000-mapping.dmp

Download
memory/2024-55-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download