wannacry | 29deee004523f7cd4e02e4e5840bf701c0e84e3653199fbce130e2fec42c78f2

Analysis

max time kernel
58s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fd824e7ad1c17d0bf5e6442f123aba.dll
Size

5.0MB
MD5

75fd824e7ad1c17d0bf5e6442f123aba
SHA1

e67978f75838ac4120b98595fe5080afde7f2f71
SHA256

29deee004523f7cd4e02e4e5840bf701c0e84e3653199fbce130e2fec42c78f2
SHA512

2c90473af21671dc04a746780df54de6d4d32b56e17371fb8e857b8217015145f9062bebef6ebea7108e972141202ec70b3d693208c23846ff9104a0a7bc0523

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2732 mssecsvc.exe
3784 mssecsvc.exe
3476 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2732	mssecsvc.exe
3784	mssecsvc.exe
3476	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3064 wrote to memory of 3840	3064	rundll32.exe	rundll32.exe
PID 3064 wrote to memory of 3840	3064	rundll32.exe	rundll32.exe
PID 3064 wrote to memory of 3840	3064	rundll32.exe	rundll32.exe
PID 3840 wrote to memory of 2732	3840	rundll32.exe	mssecsvc.exe
PID 3840 wrote to memory of 2732	3840	rundll32.exe	mssecsvc.exe
PID 3840 wrote to memory of 2732	3840	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75fd824e7ad1c17d0bf5e6442f123aba.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75fd824e7ad1c17d0bf5e6442f123aba.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3840

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2732

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3476

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
a830c4e5879ed431255cff2839dbb27b

SHA1
db731448952ba09809b5650d6f65a61dfac63c09

SHA256
0a6eedd7b60718df4f7b647603e8c1b6c527ac7d09916ea6cefab8be44ae7cb0

SHA512
5ca0a61ad16d200f2e780ed56d041c521305ddc51def7c26f30af0cc32affee1dba6153a977466ab806d85fded340a693fac32361df2c15e087353a95b2449c2

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
a830c4e5879ed431255cff2839dbb27b

SHA1
db731448952ba09809b5650d6f65a61dfac63c09

SHA256
0a6eedd7b60718df4f7b647603e8c1b6c527ac7d09916ea6cefab8be44ae7cb0

SHA512
5ca0a61ad16d200f2e780ed56d041c521305ddc51def7c26f30af0cc32affee1dba6153a977466ab806d85fded340a693fac32361df2c15e087353a95b2449c2

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
a830c4e5879ed431255cff2839dbb27b

SHA1
db731448952ba09809b5650d6f65a61dfac63c09

SHA256
0a6eedd7b60718df4f7b647603e8c1b6c527ac7d09916ea6cefab8be44ae7cb0

SHA512
5ca0a61ad16d200f2e780ed56d041c521305ddc51def7c26f30af0cc32affee1dba6153a977466ab806d85fded340a693fac32361df2c15e087353a95b2449c2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
c04b4b25d60a28425119ec9ee7d3193c

SHA1
b1e996512ec6799a10b2b5fc4fd67e9e40820941

SHA256
a550bd2542fe4f4d26c8434dc0a28c89512e490cf4f4a04c330ee2a3c5fae13f

SHA512
cfe93b91334eb1c67fb62b144894ec1840c4e094e983bae5b4036ba5c6f2e217ec3e8ef140ba45e26eec1f1510acc53f1c9665226d4b38acf76d56f392c668e0

Download Submit
memory/2732-131-0x0000000000000000-mapping.dmp

Download
memory/3840-130-0x0000000000000000-mapping.dmp

Download