wannacry | 2b24654e5faf1b0e1210478bdf8b5bf1770836fa4dab32994340beceb587b621

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2115b4138ea487dd35e228c0061d67b.dll
Size

5.0MB
MD5

b2115b4138ea487dd35e228c0061d67b
SHA1

036d4a4c13e47f76534487f1e1abc8e2edcbe942
SHA256

2b24654e5faf1b0e1210478bdf8b5bf1770836fa4dab32994340beceb587b621
SHA512

f9533fafe1da75b41e07b1953cdd0235ca9065a8964d6417cf86c2bac19beb1477d0cde2694745385d1eec4f3e0c379dc7e53fb8430b4dcabdc233cff18da4f3

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3241) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4916 mssecsvc.exe
3616 mssecsvc.exe
3780 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4916	mssecsvc.exe
3616	mssecsvc.exe
3780	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4880 wrote to memory of 2700	4880	rundll32.exe	rundll32.exe
PID 4880 wrote to memory of 2700	4880	rundll32.exe	rundll32.exe
PID 4880 wrote to memory of 2700	4880	rundll32.exe	rundll32.exe
PID 2700 wrote to memory of 4916	2700	rundll32.exe	mssecsvc.exe
PID 2700 wrote to memory of 4916	2700	rundll32.exe	mssecsvc.exe
PID 2700 wrote to memory of 4916	2700	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2115b4138ea487dd35e228c0061d67b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2115b4138ea487dd35e228c0061d67b.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2700

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4916

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3780

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
f19b51f459682612f6ced184b5cd528d

SHA1
52046d8116f64e2944d9dde58aee54e8dfd16721

SHA256
7f1f3ef89956693bd6aa5dfb0c47122d4aab04d12dda42d6a0ef3826af5ba469

SHA512
096c3056f950f98fa0f059e86bab4043cccb8f207b8ae0d730ff18ba883b98950c79acb444e8958c12b804b79c36cfd8113903d2c2471828aaf55328c7dae8d7

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f19b51f459682612f6ced184b5cd528d

SHA1
52046d8116f64e2944d9dde58aee54e8dfd16721

SHA256
7f1f3ef89956693bd6aa5dfb0c47122d4aab04d12dda42d6a0ef3826af5ba469

SHA512
096c3056f950f98fa0f059e86bab4043cccb8f207b8ae0d730ff18ba883b98950c79acb444e8958c12b804b79c36cfd8113903d2c2471828aaf55328c7dae8d7

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f19b51f459682612f6ced184b5cd528d

SHA1
52046d8116f64e2944d9dde58aee54e8dfd16721

SHA256
7f1f3ef89956693bd6aa5dfb0c47122d4aab04d12dda42d6a0ef3826af5ba469

SHA512
096c3056f950f98fa0f059e86bab4043cccb8f207b8ae0d730ff18ba883b98950c79acb444e8958c12b804b79c36cfd8113903d2c2471828aaf55328c7dae8d7

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
57ebfdd775ae0a427efb97c2790edb38

SHA1
98cd3cdafd56ad85eecda1dc755fe4c97f279aca

SHA256
dd8191406c527d77f42fccad697ad507dffa720e7e267ef56cda503793e9f09a

SHA512
1ee68aa5ac159d3ac86f0d4ffc2bb6b9f9d7136c4841beeba35558d2abce32962cec8d7f75f9618d1eb95a71665f870dab5f3e2fc26eb6a623a82d83d8371246

Download Submit
memory/2700-130-0x0000000000000000-mapping.dmp

Download
memory/4916-131-0x0000000000000000-mapping.dmp

Download