wannacry | f464b32447533eeaa9c315f86ef1d5efde140d4f60144c251a86e510860509b3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38ab7916fc2ba54ec6ade58a137556b2.dll
Size

5.0MB
MD5

38ab7916fc2ba54ec6ade58a137556b2
SHA1

1da706431d4a25c27ab47276d932c0b9d08cb644
SHA256

f464b32447533eeaa9c315f86ef1d5efde140d4f60144c251a86e510860509b3
SHA512

5b4dbe5cae76904b73c585478e1c550e3eae6edcd582a2b7cd76db3238468c3d61fa07d0c202b905d2f393ed4c94ad43ad1d195fdad96103189cf1979ad23cd6

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4828 mssecsvc.exe
4544 mssecsvc.exe
2180 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4828	mssecsvc.exe
4544	mssecsvc.exe
2180	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4268 wrote to memory of 1656	4268	rundll32.exe	rundll32.exe
PID 4268 wrote to memory of 1656	4268	rundll32.exe	rundll32.exe
PID 4268 wrote to memory of 1656	4268	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 4828	1656	rundll32.exe	mssecsvc.exe
PID 1656 wrote to memory of 4828	1656	rundll32.exe	mssecsvc.exe
PID 1656 wrote to memory of 4828	1656	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\38ab7916fc2ba54ec6ade58a137556b2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\38ab7916fc2ba54ec6ade58a137556b2.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1656

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4828

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2180

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
75f3a97683f88028e26d11bc5087cca6

SHA1
2497ad91014cc591d9e46dbed1b2c891d45e3eb9

SHA256
402693df7f8e9b82a473107014262019aa3748244c20ee083f1ad84113267b9a

SHA512
4df2f03161b73a744a1aec8ba136490b2a2084195a011a00dd1275a447155b0e36f62b7e89a099cda01a27256fa04aaca4fbc727719cf7fd669bec96314360a4

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
75f3a97683f88028e26d11bc5087cca6

SHA1
2497ad91014cc591d9e46dbed1b2c891d45e3eb9

SHA256
402693df7f8e9b82a473107014262019aa3748244c20ee083f1ad84113267b9a

SHA512
4df2f03161b73a744a1aec8ba136490b2a2084195a011a00dd1275a447155b0e36f62b7e89a099cda01a27256fa04aaca4fbc727719cf7fd669bec96314360a4

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
75f3a97683f88028e26d11bc5087cca6

SHA1
2497ad91014cc591d9e46dbed1b2c891d45e3eb9

SHA256
402693df7f8e9b82a473107014262019aa3748244c20ee083f1ad84113267b9a

SHA512
4df2f03161b73a744a1aec8ba136490b2a2084195a011a00dd1275a447155b0e36f62b7e89a099cda01a27256fa04aaca4fbc727719cf7fd669bec96314360a4

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
565eafef92cd574e804215824ed4d0e7

SHA1
8a92c0d3d92684ebd622684919ace79eedafa8b6

SHA256
5b3ae5c82984228da4b67549e1331565431e0bb4a44bd64615ee7d7bd3dc2c6a

SHA512
19cec62cc7c2864e08fdaca2b2f32724056ecb0d569d9b9b13e6dc08c0f20cd5adc59e17bf5e907208e8334605e3862002e4efeabebfccb0733a9f9fe7d2ae34

Download Submit
memory/1656-130-0x0000000000000000-mapping.dmp

Download
memory/4828-131-0x0000000000000000-mapping.dmp

Download