wannacry | 5ccd9a6def2edff6c13c74d075317bf552305dbb889bd2953392171c6d768c7e

Analysis

max time kernel
159s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ba3d5e67d65dd85838c6460add04f93.dll
Size

5.0MB
MD5

4ba3d5e67d65dd85838c6460add04f93
SHA1

d013ca251d3cb4db30aebb89b5d7a85ebfa4fb5a
SHA256

5ccd9a6def2edff6c13c74d075317bf552305dbb889bd2953392171c6d768c7e
SHA512

108e6a11873e8e1f0bc97a18d79a8ff0d64a370e8e80be270f20a6cc8796e1acefe46d7ce6cd8ae5aea280f5326d20446098ba9199511514287ccb7ed40680de

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3046) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3364 mssecsvc.exe
4052 mssecsvc.exe
648 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3364	mssecsvc.exe
4052	mssecsvc.exe
648	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3768 wrote to memory of 2332	3768	rundll32.exe	rundll32.exe
PID 3768 wrote to memory of 2332	3768	rundll32.exe	rundll32.exe
PID 3768 wrote to memory of 2332	3768	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 3364	2332	rundll32.exe	mssecsvc.exe
PID 2332 wrote to memory of 3364	2332	rundll32.exe	mssecsvc.exe
PID 2332 wrote to memory of 3364	2332	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ba3d5e67d65dd85838c6460add04f93.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ba3d5e67d65dd85838c6460add04f93.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2332

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3364

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:648

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:4052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
e904de9132bbba0e436c7cfe6bbdba94

SHA1
20de8f1ff795463f3e98fd5117be30788c6d2897

SHA256
237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1

SHA512
cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
e904de9132bbba0e436c7cfe6bbdba94

SHA1
20de8f1ff795463f3e98fd5117be30788c6d2897

SHA256
237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1

SHA512
cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
e904de9132bbba0e436c7cfe6bbdba94

SHA1
20de8f1ff795463f3e98fd5117be30788c6d2897

SHA256
237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1

SHA512
cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
dd07cd8cea145f94583b3e020a742058

SHA1
6076eb70733041e0aaa2795e6cbbdf9b1ffcc98a

SHA256
0a265ea8d2c7f5ba68c2cea468dd07cff10c8cd8863c0edc0c474d2b974bdc63

SHA512
ecaad18e731dfb9c6b06e3e7341c47dafe985db071376b0e6a37a4a86d2893fe099c7f3c94223948700901e87eac19284e07d100afddbe545f21be5b76a980c0

Download Submit
memory/2332-130-0x0000000000000000-mapping.dmp

Download
memory/3364-131-0x0000000000000000-mapping.dmp

Download