wannacry | 5cc480c8869b3c6b9e319b6688ba7c7da41c1ca679a2582adccb3d28aded93e4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

986b29f805c4036a4b17a2050e67aae6.dll
Size

5.0MB
MD5

986b29f805c4036a4b17a2050e67aae6
SHA1

9c9118edacd1103c5244dd8cb103e26ff5f4238c
SHA256

5cc480c8869b3c6b9e319b6688ba7c7da41c1ca679a2582adccb3d28aded93e4
SHA512

450683459e863a881f06d91ad63d4f130a9e43ae9d8c83907a4ccce5239579bba2cc123172c19362736d031b17ed1cea4ba24b7d696cf0f828f05684fdd43e1a

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3097) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4620 mssecsvc.exe
4792 mssecsvc.exe
2072 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4648 2072 WerFault.exe tasksche.exe
728 2072 WerFault.exe tasksche.exe

pid	process
4620	mssecsvc.exe
4792	mssecsvc.exe
2072	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

pid	pid_target	process	target process
4648	2072	WerFault.exe	tasksche.exe
728	2072	WerFault.exe	tasksche.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 3124 wrote to memory of 4836	3124	rundll32.exe	rundll32.exe
PID 3124 wrote to memory of 4836	3124	rundll32.exe	rundll32.exe
PID 3124 wrote to memory of 4836	3124	rundll32.exe	rundll32.exe
PID 4836 wrote to memory of 4620	4836	rundll32.exe	mssecsvc.exe
PID 4836 wrote to memory of 4620	4836	rundll32.exe	mssecsvc.exe
PID 4836 wrote to memory of 4620	4836	rundll32.exe	mssecsvc.exe
PID 4620 wrote to memory of 2072	4620	mssecsvc.exe	tasksche.exe
PID 4620 wrote to memory of 2072	4620	mssecsvc.exe	tasksche.exe
PID 4620 wrote to memory of 2072	4620	mssecsvc.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\986b29f805c4036a4b17a2050e67aae6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\986b29f805c4036a4b17a2050e67aae6.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4836

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4620

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 220
5⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 224
5⤵
- Program crash
PID:728

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2072 -ip 2072
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2072 -ip 2072
1⤵
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
51cfc6fe985916116cd2bbd6aa836044

SHA1
db443f2110da8a92435c2478a1cd946f91f162bb

SHA256
aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc

SHA512
0d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
3.4MB

MD5
7b351fcb4c6a4ccb3d3061936aa553a6

SHA1
365a3e54d81b8c19fe781656a4ce7243749ad970

SHA256
efa788e33b9f58a86b015da2b0b1651f80e02923e9e9ffc1602aeed4218a5dac

SHA512
3d8fa3a451f0a63bb0ce444f5f3ac9420e65e57fd8d50c9477b22ebc58402c747b27c74aef540b4bb0327487d48eef58a77b2ec37d5c52c2224102e4b62c30f8

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
51cfc6fe985916116cd2bbd6aa836044

SHA1
db443f2110da8a92435c2478a1cd946f91f162bb

SHA256
aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc

SHA512
0d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
51cfc6fe985916116cd2bbd6aa836044

SHA1
db443f2110da8a92435c2478a1cd946f91f162bb

SHA256
aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc

SHA512
0d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7b351fcb4c6a4ccb3d3061936aa553a6

SHA1
365a3e54d81b8c19fe781656a4ce7243749ad970

SHA256
efa788e33b9f58a86b015da2b0b1651f80e02923e9e9ffc1602aeed4218a5dac

SHA512
3d8fa3a451f0a63bb0ce444f5f3ac9420e65e57fd8d50c9477b22ebc58402c747b27c74aef540b4bb0327487d48eef58a77b2ec37d5c52c2224102e4b62c30f8

Download Submit
memory/2072-135-0x0000000000000000-mapping.dmp

Download
memory/4620-131-0x0000000000000000-mapping.dmp

Download
memory/4836-130-0x0000000000000000-mapping.dmp

Download