wannacry | 62e5d8ea63ae2492f323107d28a77295f51f920f03cd135f111c11b20ea36c78

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69924833ec0e412e3069091166a610aa.dll
Size

5.0MB
MD5

69924833ec0e412e3069091166a610aa
SHA1

2e15de7871ed84fc178baa75a5875da5835c1e60
SHA256

62e5d8ea63ae2492f323107d28a77295f51f920f03cd135f111c11b20ea36c78
SHA512

2bde5badab56058d1a72f7acf40b8b803c45255b46f4d7f8c7cd9827c6bc3da2b1dd1c11d10986024fe7a66ec213325dd9f229e66c0a8cfd248aef7e7dcc4c87

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1256) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1996 mssecsvc.exe
944 mssecsvc.exe
1644 tasksche.exe

pid	process
1996	mssecsvc.exe
944	mssecsvc.exe
1644	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1176 wrote to memory of 476	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 476	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 476	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 476	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 476	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 476	1176	rundll32.exe	rundll32.exe
PID 1176 wrote to memory of 476	1176	rundll32.exe	rundll32.exe
PID 476 wrote to memory of 1996	476	rundll32.exe	mssecsvc.exe
PID 476 wrote to memory of 1996	476	rundll32.exe	mssecsvc.exe
PID 476 wrote to memory of 1996	476	rundll32.exe	mssecsvc.exe
PID 476 wrote to memory of 1996	476	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\69924833ec0e412e3069091166a610aa.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\69924833ec0e412e3069091166a610aa.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:476

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1996

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1644

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
265aad3eb77310655a5405e6c6f2c44d

SHA1
2dbf164e1124188255a00934bfdc476dcab86120

SHA256
2361e6693ae773a429e39a71eb4664abbab6e4828df76d10570451d62ae3e44c

SHA512
ccbe6b7e45cb66ad686dd395195766dc2e054150567549b8b6f5d04c28eb5f4b48fcb32be339d79047005550540a3eb620e6cac87c0b482914b6089e54b9a11e

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
265aad3eb77310655a5405e6c6f2c44d

SHA1
2dbf164e1124188255a00934bfdc476dcab86120

SHA256
2361e6693ae773a429e39a71eb4664abbab6e4828df76d10570451d62ae3e44c

SHA512
ccbe6b7e45cb66ad686dd395195766dc2e054150567549b8b6f5d04c28eb5f4b48fcb32be339d79047005550540a3eb620e6cac87c0b482914b6089e54b9a11e

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
265aad3eb77310655a5405e6c6f2c44d

SHA1
2dbf164e1124188255a00934bfdc476dcab86120

SHA256
2361e6693ae773a429e39a71eb4664abbab6e4828df76d10570451d62ae3e44c

SHA512
ccbe6b7e45cb66ad686dd395195766dc2e054150567549b8b6f5d04c28eb5f4b48fcb32be339d79047005550540a3eb620e6cac87c0b482914b6089e54b9a11e

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
eb2a86d2555e71ab7fe7c581473dd3ae

SHA1
081ac4ca4282d32d6eecd8654472457b6ed141de

SHA256
3104323e1e2948be836cba9e1e6085a029fcdb4ba8652223e06b683d34aa0c82

SHA512
3a93b4f1e8c0b51f3f77856c1e5169fad9a4da370ec6bdcdd1fca4087124482b1575d5257eadba3c7b6e1880f59e81ab0bcb91a598b0a9503ac6bca90303bd1b

Download Submit
memory/476-54-0x0000000000000000-mapping.dmp

Download
memory/476-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download