wannacry | 5d8f0c54fd3945b1c2da7295db07fb85bee9761fc82bed542b9c98746bd6bc42

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0627f0f29229e474c78206de082d53d8.dll
Size

5.0MB
MD5

0627f0f29229e474c78206de082d53d8
SHA1

e3fd6cb3f29ee07b9be7bad39824d02b186b8c2b
SHA256

5d8f0c54fd3945b1c2da7295db07fb85bee9761fc82bed542b9c98746bd6bc42
SHA512

499ee633849972f994355c57ef956143ac049e8d033f1d6a7d467043b7065a4a6fb185a9ad502f176b70675a5bb0810ba8c9e06e940ceb1e5f9b859a68bf438a

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3136) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4556 mssecsvc.exe
4112 mssecsvc.exe
4404 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4556	mssecsvc.exe
4112	mssecsvc.exe
4404	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3848 wrote to memory of 4392	3848	rundll32.exe	rundll32.exe
PID 3848 wrote to memory of 4392	3848	rundll32.exe	rundll32.exe
PID 3848 wrote to memory of 4392	3848	rundll32.exe	rundll32.exe
PID 4392 wrote to memory of 4556	4392	rundll32.exe	mssecsvc.exe
PID 4392 wrote to memory of 4556	4392	rundll32.exe	mssecsvc.exe
PID 4392 wrote to memory of 4556	4392	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0627f0f29229e474c78206de082d53d8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0627f0f29229e474c78206de082d53d8.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4392

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4556

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4404

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
090abe3450019f5893e16535f5d67b0e

SHA1
5487f5b9b1b4f18e1cb7708e1e17acccecaf7755

SHA256
ec3ac4e0682433d49b5570a68db1bae0a71bb406e39ac175bc86d0e059bcd667

SHA512
7de6bcd9d6cb3bf25332a144c2eef2e38989f7f089073bcae67939e7f18e3d6382d8b831cdec9408329d324a0b8023786d5150e21eb783df467fbf6f6cb39fc4

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
090abe3450019f5893e16535f5d67b0e

SHA1
5487f5b9b1b4f18e1cb7708e1e17acccecaf7755

SHA256
ec3ac4e0682433d49b5570a68db1bae0a71bb406e39ac175bc86d0e059bcd667

SHA512
7de6bcd9d6cb3bf25332a144c2eef2e38989f7f089073bcae67939e7f18e3d6382d8b831cdec9408329d324a0b8023786d5150e21eb783df467fbf6f6cb39fc4

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
090abe3450019f5893e16535f5d67b0e

SHA1
5487f5b9b1b4f18e1cb7708e1e17acccecaf7755

SHA256
ec3ac4e0682433d49b5570a68db1bae0a71bb406e39ac175bc86d0e059bcd667

SHA512
7de6bcd9d6cb3bf25332a144c2eef2e38989f7f089073bcae67939e7f18e3d6382d8b831cdec9408329d324a0b8023786d5150e21eb783df467fbf6f6cb39fc4

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fa0479764a7a2566f7c4da2cfafa794b

SHA1
ae6c04b795a59e1e0b636a6fc88efd2e6597a46a

SHA256
280ed3db4302c33d79ab60d6db3ac2e3a76fede38d0c164aaa50ff9fd6f1b0ce

SHA512
d878df1b6b6e57e4b7dc18f6049c45888b607469fd4843af9939f09c2ec73b39c12101451404342f2401cdadeb84351011d624ba4928ec429518ed42d1138d3a

Download Submit
memory/4392-130-0x0000000000000000-mapping.dmp

Download
memory/4556-131-0x0000000000000000-mapping.dmp

Download