wannacry | 4056238a615260bca116bd686070addc75a16a4c30ee20e805ffdec5c6df0cbb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 01:58

Target

54abc6dbc947845d38762f53af7f2b16.dll
Size

5.0MB
MD5

54abc6dbc947845d38762f53af7f2b16
SHA1

7376d7444a05dc21177496f10d0194eaedd66771
SHA256

4056238a615260bca116bd686070addc75a16a4c30ee20e805ffdec5c6df0cbb
SHA512

d4237b9685c151998308b306974e2e10cc36be530e5f63fa6ef0b4a08181d7cf501813a4e743436f0123c4100416580d2797e46bca1cdf0ea5ae4dfbd2c169b7

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

2860 mssecsvr.exe
4744 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
2860	mssecsvr.exe
4744	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3856 wrote to memory of 4576	3856	rundll32.exe	rundll32.exe
PID 3856 wrote to memory of 4576	3856	rundll32.exe	rundll32.exe
PID 3856 wrote to memory of 4576	3856	rundll32.exe	rundll32.exe
PID 4576 wrote to memory of 2860	4576	rundll32.exe	mssecsvr.exe
PID 4576 wrote to memory of 2860	4576	rundll32.exe	mssecsvr.exe
PID 4576 wrote to memory of 2860	4576	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\54abc6dbc947845d38762f53af7f2b16.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3856

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\mssecsvr.exe

Filesize
2.2MB

MD5
ba72f8befa00aa3e36ca5822f4b0955d

SHA1
f627e725fc59284212d32bad8b9e1f5890be76ed

SHA256
f627890d60ebafc66e98a8d7c348a7a89a78301c1934d507a1f167be242de78b

SHA512
0fc598c9ea0992d5751992d9ea5058799c6b6a5ea49d9a4084ae1f50568be7c3419c5f07c38b85b156143b77d472a048526c43fa103bd6d04195eb6a01b87661

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
ba72f8befa00aa3e36ca5822f4b0955d

SHA1
f627e725fc59284212d32bad8b9e1f5890be76ed

SHA256
f627890d60ebafc66e98a8d7c348a7a89a78301c1934d507a1f167be242de78b

SHA512
0fc598c9ea0992d5751992d9ea5058799c6b6a5ea49d9a4084ae1f50568be7c3419c5f07c38b85b156143b77d472a048526c43fa103bd6d04195eb6a01b87661

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
ba72f8befa00aa3e36ca5822f4b0955d

SHA1
f627e725fc59284212d32bad8b9e1f5890be76ed

SHA256
f627890d60ebafc66e98a8d7c348a7a89a78301c1934d507a1f167be242de78b

SHA512
0fc598c9ea0992d5751992d9ea5058799c6b6a5ea49d9a4084ae1f50568be7c3419c5f07c38b85b156143b77d472a048526c43fa103bd6d04195eb6a01b87661

Download Submit
memory/2860-131-0x0000000000000000-mapping.dmp

Download
memory/4576-130-0x0000000000000000-mapping.dmp

Download