wannacry | 0140a4d1488d96cdd6ab4212a25d265c85f32e84b48481746433870333ab26c4

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:01

Target

dcf87f36afd7e67cf03843cd03b24979.dll
Size

5.0MB
MD5

dcf87f36afd7e67cf03843cd03b24979
SHA1

2de433a36230aff2475dfddb31f459bd060430e6
SHA256

0140a4d1488d96cdd6ab4212a25d265c85f32e84b48481746433870333ab26c4
SHA512

d1936de4fbedbf977470e96d5d624a3cfbec5a42f9c48e7c4d58925752bfcca8036911678a462deb48e6befc71e1db608dab5c68c1b4012f5f11c891df1eb127

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3234) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

4152 mssecsvr.exe
1292 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvr.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvr.exe
File created C:\WINDOWS\mssecsvr.exe rundll32.exe

pid	process
4152	mssecsvr.exe
1292	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2392 wrote to memory of 3836	2392	rundll32.exe	rundll32.exe
PID 2392 wrote to memory of 3836	2392	rundll32.exe	rundll32.exe
PID 2392 wrote to memory of 3836	2392	rundll32.exe	rundll32.exe
PID 3836 wrote to memory of 4152	3836	rundll32.exe	mssecsvr.exe
PID 3836 wrote to memory of 4152	3836	rundll32.exe	mssecsvr.exe
PID 3836 wrote to memory of 4152	3836	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dcf87f36afd7e67cf03843cd03b24979.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
PID:1292

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\mssecsvr.exe

Filesize
2.2MB

MD5
84957e7d032517191cdb85f4b72eeff4

SHA1
dbb838c58615d9c60b43dabb405083e1ad5ab44e

SHA256
b65c8e43cd67c57a27c11677b66608b65473d9de05363049b6d0fe6ed9da00bb

SHA512
47209b355705295b53311976abf475d177d4c56b04b051ece78526816f504b395e3370c1d532819a9fd4bfda11f0cc547bd1fe0e26e58eaeeb0c25bf807cb2f7

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
84957e7d032517191cdb85f4b72eeff4

SHA1
dbb838c58615d9c60b43dabb405083e1ad5ab44e

SHA256
b65c8e43cd67c57a27c11677b66608b65473d9de05363049b6d0fe6ed9da00bb

SHA512
47209b355705295b53311976abf475d177d4c56b04b051ece78526816f504b395e3370c1d532819a9fd4bfda11f0cc547bd1fe0e26e58eaeeb0c25bf807cb2f7

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
84957e7d032517191cdb85f4b72eeff4

SHA1
dbb838c58615d9c60b43dabb405083e1ad5ab44e

SHA256
b65c8e43cd67c57a27c11677b66608b65473d9de05363049b6d0fe6ed9da00bb

SHA512
47209b355705295b53311976abf475d177d4c56b04b051ece78526816f504b395e3370c1d532819a9fd4bfda11f0cc547bd1fe0e26e58eaeeb0c25bf807cb2f7

Download Submit
memory/3836-130-0x0000000000000000-mapping.dmp

Download
memory/4152-131-0x0000000000000000-mapping.dmp

Download