wannacry | 884c4cc639c28e454c009c5c059a8c1f171f394493de29d232e681be97bc1ec3

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd2b97420b305f73208026657ed0da4a.dll
Size

5.0MB
MD5

dd2b97420b305f73208026657ed0da4a
SHA1

e071791a193701f4b0c42dadb257955348efc109
SHA256

884c4cc639c28e454c009c5c059a8c1f171f394493de29d232e681be97bc1ec3
SHA512

66a990ba8870f48d89950b9ea21f0b6726652277240e759a2af77be431b52f9ea9da69aca5e9fa007af6df3c4a6cc772ad24ab54b9ca9d60e3210b1dd829c1eb

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3181) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4492 mssecsvc.exe
1620 mssecsvc.exe
4088 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4492	mssecsvc.exe
1620	mssecsvc.exe
4088	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2068 wrote to memory of 5012	2068	rundll32.exe	rundll32.exe
PID 2068 wrote to memory of 5012	2068	rundll32.exe	rundll32.exe
PID 2068 wrote to memory of 5012	2068	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 4492	5012	rundll32.exe	mssecsvc.exe
PID 5012 wrote to memory of 4492	5012	rundll32.exe	mssecsvc.exe
PID 5012 wrote to memory of 4492	5012	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b97420b305f73208026657ed0da4a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b97420b305f73208026657ed0da4a.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5012

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4492

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4088

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
17a8dcf34c64f537223408f48c4cbfd4

SHA1
6ab857f729e41926fbf9d4373b659a06e8b6f75d

SHA256
4ffd66127789176ba9a4062f2b2229cd733de5b3ae9548a0beb1a611a1547830

SHA512
c14c5144afa96dab81a8eaabd32fbcd63ad259762f94843bc1a4db026e3227e217ec1bd3d904f22cb3bc7f2be661010a58a0cafa3747d40c899de148d6089e6b

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
17a8dcf34c64f537223408f48c4cbfd4

SHA1
6ab857f729e41926fbf9d4373b659a06e8b6f75d

SHA256
4ffd66127789176ba9a4062f2b2229cd733de5b3ae9548a0beb1a611a1547830

SHA512
c14c5144afa96dab81a8eaabd32fbcd63ad259762f94843bc1a4db026e3227e217ec1bd3d904f22cb3bc7f2be661010a58a0cafa3747d40c899de148d6089e6b

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
17a8dcf34c64f537223408f48c4cbfd4

SHA1
6ab857f729e41926fbf9d4373b659a06e8b6f75d

SHA256
4ffd66127789176ba9a4062f2b2229cd733de5b3ae9548a0beb1a611a1547830

SHA512
c14c5144afa96dab81a8eaabd32fbcd63ad259762f94843bc1a4db026e3227e217ec1bd3d904f22cb3bc7f2be661010a58a0cafa3747d40c899de148d6089e6b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
1fd3d102d83758e8317df2380821e807

SHA1
3709a9b48aee0d6039b4b3581be33f48d4919b79

SHA256
01b628fa60560c0cb4a332818cb380a65d0616d19976c084e0c3eaa433288b88

SHA512
db0ee5b13e524f2182845aa94b8b1121749e87e48e75e5ba8fa26cae024216913d3a5904fb3544dfeefa49ecf76af5cf1324c410e6366a7197594e8e9e26025f

Download Submit
memory/4492-131-0x0000000000000000-mapping.dmp

Download
memory/5012-130-0x0000000000000000-mapping.dmp

Download