wannacry | 2acbff44e7801bc61a7881a7fc29549ac9b5f903817b6ffec3c305d550e5271e

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f751d9ab6fd444e1b6661ae17e78d5.dll
Size

5.0MB
MD5

23f751d9ab6fd444e1b6661ae17e78d5
SHA1

7440820782e3299fad7e70c9c55ea9779aa7807f
SHA256

2acbff44e7801bc61a7881a7fc29549ac9b5f903817b6ffec3c305d550e5271e
SHA512

e768777032a5631a335032df03e4fac2971566789db362cd65706eb13bcbed3ca889bb134f69ab01337da062305b92319a55698a0b0403aadb551db70d0311db

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2983) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3836 mssecsvc.exe
1396 mssecsvc.exe
1260 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3836	mssecsvc.exe
1396	mssecsvc.exe
1260	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3872 wrote to memory of 1452	3872	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 1452	3872	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 1452	3872	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 3836	1452	rundll32.exe	mssecsvc.exe
PID 1452 wrote to memory of 3836	1452	rundll32.exe	mssecsvc.exe
PID 1452 wrote to memory of 3836	1452	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f751d9ab6fd444e1b6661ae17e78d5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f751d9ab6fd444e1b6661ae17e78d5.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1452

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3836

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1260

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
302fd72620286fec7b1f5b1a57d324a3

SHA1
af0c5ad0b19d8e2a3c0f823ecf1f624e4dfe1126

SHA256
288cd224838bbd21edc43fc6408f72c1cbe7e37f4bcaab192f3773723a29ee8c

SHA512
979d267876bf3b59f0e39a919d8b9079f9a3f3f2205ed92a651c1dffd8b6e25d853f54ce9d969bf5d82941207a77da6095894123c140f5505d8d738aec27a14c

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
302fd72620286fec7b1f5b1a57d324a3

SHA1
af0c5ad0b19d8e2a3c0f823ecf1f624e4dfe1126

SHA256
288cd224838bbd21edc43fc6408f72c1cbe7e37f4bcaab192f3773723a29ee8c

SHA512
979d267876bf3b59f0e39a919d8b9079f9a3f3f2205ed92a651c1dffd8b6e25d853f54ce9d969bf5d82941207a77da6095894123c140f5505d8d738aec27a14c

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
302fd72620286fec7b1f5b1a57d324a3

SHA1
af0c5ad0b19d8e2a3c0f823ecf1f624e4dfe1126

SHA256
288cd224838bbd21edc43fc6408f72c1cbe7e37f4bcaab192f3773723a29ee8c

SHA512
979d267876bf3b59f0e39a919d8b9079f9a3f3f2205ed92a651c1dffd8b6e25d853f54ce9d969bf5d82941207a77da6095894123c140f5505d8d738aec27a14c

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
217653e840e8d2b4d420c7c290f6240b

SHA1
689845620d3ae2b843dfaa657e4b7fc56b950250

SHA256
3a8dcb1c500279e91c415407618c385a6e6a215f815914f6d38a705f10e1c55c

SHA512
0f5b77665758bc8b974eec5b1e79b76ad2df3959c97b232ebeb9067f4879e6473bfa56acf0b6c25b2e06617a7a9c775e2e1d1108dc58ae16a97aaaa5faa0e5d6

Download Submit
memory/1452-130-0x0000000000000000-mapping.dmp

Download
memory/3836-131-0x0000000000000000-mapping.dmp

Download