wannacry | 5ff1e117916fd58b93b581f974a443db3553ec650065af44bc47fed336437d8c

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d6e15b6897d5f356688b91b510758ff.dll
Size

5.0MB
MD5

8d6e15b6897d5f356688b91b510758ff
SHA1

b9e5234710af1b61c375277b4c2d5cb58a87cea8
SHA256

5ff1e117916fd58b93b581f974a443db3553ec650065af44bc47fed336437d8c
SHA512

b562f1e33452700b532138b6a4380ce004c70acee2800b8fd423f9a1eb274c667cb53d73c73f0b1e8de0e8177b1f1de58e4c529a5bfffff16d4647d4bee12ee2

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3168) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

5092 mssecsvc.exe
4680 mssecsvc.exe
2272 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
5092	mssecsvc.exe
4680	mssecsvc.exe
2272	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1688 wrote to memory of 2124	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2124	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2124	1688	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 5092	2124	rundll32.exe	mssecsvc.exe
PID 2124 wrote to memory of 5092	2124	rundll32.exe	mssecsvc.exe
PID 2124 wrote to memory of 5092	2124	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d6e15b6897d5f356688b91b510758ff.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d6e15b6897d5f356688b91b510758ff.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2124

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5092

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2272

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
0f8ba7f48ae90ccd1a93fbde85335bac

SHA1
a77937d0f51ac29e34c045faf7d9d2ede6785135

SHA256
72d39384671ea94c0c8cb164194ec89049e57a933e411db5dd2cd3c53cf0cb36

SHA512
8af43de53ca005744ca69eda774f6b25094f7799e5b60c9fdcd4f1194522ba9390df4c9e49be5332370a9a44e2d5a2d0e8f96f773f5feba56584c27e936ee045

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
0f8ba7f48ae90ccd1a93fbde85335bac

SHA1
a77937d0f51ac29e34c045faf7d9d2ede6785135

SHA256
72d39384671ea94c0c8cb164194ec89049e57a933e411db5dd2cd3c53cf0cb36

SHA512
8af43de53ca005744ca69eda774f6b25094f7799e5b60c9fdcd4f1194522ba9390df4c9e49be5332370a9a44e2d5a2d0e8f96f773f5feba56584c27e936ee045

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
0f8ba7f48ae90ccd1a93fbde85335bac

SHA1
a77937d0f51ac29e34c045faf7d9d2ede6785135

SHA256
72d39384671ea94c0c8cb164194ec89049e57a933e411db5dd2cd3c53cf0cb36

SHA512
8af43de53ca005744ca69eda774f6b25094f7799e5b60c9fdcd4f1194522ba9390df4c9e49be5332370a9a44e2d5a2d0e8f96f773f5feba56584c27e936ee045

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f328091ff4dc121b758269112d2dc3fc

SHA1
75d658b45cf80435a5787f6aed66d9e0cf1d4def

SHA256
21a3d0bb1c6bf456737b6c7c8fe82a988fdb4a2b83cff2a64e6c435b3eb7ee24

SHA512
b1430eb11720873b6f36e1c3ad232fdcd238a5e4fa86b6cdce91175cb616815240169131ad0628400cc57647c974c753cbbb5d6c3303db12e6e1191eb3420824

Download Submit
memory/2124-130-0x0000000000000000-mapping.dmp

Download
memory/5092-131-0x0000000000000000-mapping.dmp

Download