wannacry | 552249b242e9857e66ca1c2b55e55ecaa354017e1f1fcd2c7ba60388eba99ac5

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e7614af4ddfa286ca963c3f4c039c2a.dll
Size

5.0MB
MD5

6e7614af4ddfa286ca963c3f4c039c2a
SHA1

4086d509392b10e43af87a782e5d96acc5cfff9f
SHA256

552249b242e9857e66ca1c2b55e55ecaa354017e1f1fcd2c7ba60388eba99ac5
SHA512

ebc8fb369c6fc33a20520b493c1e0ca03ba2b9c1f8d398e6f576424fb1028c66f7cebadd22fe67e750e9d44041ae9133e42188b88c479dafca5f1f693c6abc97

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1544 mssecsvc.exe
1740 mssecsvc.exe
1188 tasksche.exe

pid	process
1544	mssecsvc.exe
1740	mssecsvc.exe
1188	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 1120 wrote to memory of 1544	1120	rundll32.exe	mssecsvc.exe
PID 1120 wrote to memory of 1544	1120	rundll32.exe	mssecsvc.exe
PID 1120 wrote to memory of 1544	1120	rundll32.exe	mssecsvc.exe
PID 1120 wrote to memory of 1544	1120	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e7614af4ddfa286ca963c3f4c039c2a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e7614af4ddfa286ca963c3f4c039c2a.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1120

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1188

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
39d9ed013d95e7770eb68278ac88a89e

SHA1
3eb2c5c36416802fc8bcc6270a009b09ddb1d9f1

SHA256
51f832a706474f358dd223b3b95108cbf86c2f9ecdbfa340b838a39f461342f5

SHA512
cc9977149c06d2e689b8050ad0dce65dacfc11f4e99bc64f1d6d6cc868f55a9e5ffbbfabf8563ee1cad31932f58621061efe009a3406400a68ae9f184f6cddcb

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
39d9ed013d95e7770eb68278ac88a89e

SHA1
3eb2c5c36416802fc8bcc6270a009b09ddb1d9f1

SHA256
51f832a706474f358dd223b3b95108cbf86c2f9ecdbfa340b838a39f461342f5

SHA512
cc9977149c06d2e689b8050ad0dce65dacfc11f4e99bc64f1d6d6cc868f55a9e5ffbbfabf8563ee1cad31932f58621061efe009a3406400a68ae9f184f6cddcb

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
39d9ed013d95e7770eb68278ac88a89e

SHA1
3eb2c5c36416802fc8bcc6270a009b09ddb1d9f1

SHA256
51f832a706474f358dd223b3b95108cbf86c2f9ecdbfa340b838a39f461342f5

SHA512
cc9977149c06d2e689b8050ad0dce65dacfc11f4e99bc64f1d6d6cc868f55a9e5ffbbfabf8563ee1cad31932f58621061efe009a3406400a68ae9f184f6cddcb

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9e628932a5b0516e3e1dc12293d16ab4

SHA1
96d7ffbb31d9d2737625def93f78b12f56a34c24

SHA256
97feb4ff0e816da9b868f7972cfe53ebe64c8d12e8a2faa8e51528b9ddd1d329

SHA512
ee11a17f4fbbf035dd82e11a6604a82f5c3f2f6c8b4a64c1bd2b38f5876778ceca0a6cf83ea9fe245164f2b00161874274f926461b90b045be152896ffb60811

Download Submit
memory/1120-54-0x0000000000000000-mapping.dmp

Download
memory/1120-55-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1544-56-0x0000000000000000-mapping.dmp

Download