wannacry | 5ccd9a6def2edff6c13c74d075317bf552305dbb889bd2953392171c6d768c7e

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ba3d5e67d65dd85838c6460add04f93.dll
Size

5.0MB
MD5

4ba3d5e67d65dd85838c6460add04f93
SHA1

d013ca251d3cb4db30aebb89b5d7a85ebfa4fb5a
SHA256

5ccd9a6def2edff6c13c74d075317bf552305dbb889bd2953392171c6d768c7e
SHA512

108e6a11873e8e1f0bc97a18d79a8ff0d64a370e8e80be270f20a6cc8796e1acefe46d7ce6cd8ae5aea280f5326d20446098ba9199511514287ccb7ed40680de

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1265) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1928 mssecsvc.exe
888 mssecsvc.exe
1500 tasksche.exe

pid	process
1928	mssecsvc.exe
888	mssecsvc.exe
1500	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1820 wrote to memory of 880	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 880	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 880	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 880	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 880	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 880	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 880	1820	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1928	880	rundll32.exe	mssecsvc.exe
PID 880 wrote to memory of 1928	880	rundll32.exe	mssecsvc.exe
PID 880 wrote to memory of 1928	880	rundll32.exe	mssecsvc.exe
PID 880 wrote to memory of 1928	880	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ba3d5e67d65dd85838c6460add04f93.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ba3d5e67d65dd85838c6460add04f93.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:880

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1928

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1500

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
e904de9132bbba0e436c7cfe6bbdba94

SHA1
20de8f1ff795463f3e98fd5117be30788c6d2897

SHA256
237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1

SHA512
cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e904de9132bbba0e436c7cfe6bbdba94

SHA1
20de8f1ff795463f3e98fd5117be30788c6d2897

SHA256
237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1

SHA512
cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e904de9132bbba0e436c7cfe6bbdba94

SHA1
20de8f1ff795463f3e98fd5117be30788c6d2897

SHA256
237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1

SHA512
cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
dd07cd8cea145f94583b3e020a742058

SHA1
6076eb70733041e0aaa2795e6cbbdf9b1ffcc98a

SHA256
0a265ea8d2c7f5ba68c2cea468dd07cff10c8cd8863c0edc0c474d2b974bdc63

SHA512
ecaad18e731dfb9c6b06e3e7341c47dafe985db071376b0e6a37a4a86d2893fe099c7f3c94223948700901e87eac19284e07d100afddbe545f21be5b76a980c0

Download Submit
memory/880-54-0x0000000000000000-mapping.dmp

Download
memory/880-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1928-56-0x0000000000000000-mapping.dmp

Download