wannacry | 84337599a573db18dc40d501fbe9f1f43f95a45a321761c15aef17d4ca37da17

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bda7309900888b68e4e03c6a9d3a19b.dll
Size

5.0MB
MD5

4bda7309900888b68e4e03c6a9d3a19b
SHA1

0bf661c0cc5a21ae07bea1752aeb52b929abbe22
SHA256

84337599a573db18dc40d501fbe9f1f43f95a45a321761c15aef17d4ca37da17
SHA512

2ace0c92c80b98a557a88e790d2d1bf4f83b478a29ab7a77906e6f1774e168bbe0ad2a57dfa6da8ba59ae23c2f2072276fd2c4adb223ab495144d044008a95a8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3261) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4876 mssecsvc.exe
1888 mssecsvc.exe
1252 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4876	mssecsvc.exe
1888	mssecsvc.exe
1252	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4836 wrote to memory of 844	4836	rundll32.exe	rundll32.exe
PID 4836 wrote to memory of 844	4836	rundll32.exe	rundll32.exe
PID 4836 wrote to memory of 844	4836	rundll32.exe	rundll32.exe
PID 844 wrote to memory of 4876	844	rundll32.exe	mssecsvc.exe
PID 844 wrote to memory of 4876	844	rundll32.exe	mssecsvc.exe
PID 844 wrote to memory of 4876	844	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4bda7309900888b68e4e03c6a9d3a19b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4bda7309900888b68e4e03c6a9d3a19b.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:844

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4876

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1252

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
53d29c93105ca17d1bd5d8d1a19b4c1c

SHA1
50d33c320a52dcac048172ebbaf5d29063997902

SHA256
696d238c825e2f1beb0c2be5e24db8359ec0ba2fe2089e698e3829db3736a3e6

SHA512
758e257140e2af4f399ae2f690b5670df3339bfbef5b92e30e5748e50da2e4eb8d3d70971698769a779e0f95656113edf474bc56eacfe7cf702f064565e37557

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
53d29c93105ca17d1bd5d8d1a19b4c1c

SHA1
50d33c320a52dcac048172ebbaf5d29063997902

SHA256
696d238c825e2f1beb0c2be5e24db8359ec0ba2fe2089e698e3829db3736a3e6

SHA512
758e257140e2af4f399ae2f690b5670df3339bfbef5b92e30e5748e50da2e4eb8d3d70971698769a779e0f95656113edf474bc56eacfe7cf702f064565e37557

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
53d29c93105ca17d1bd5d8d1a19b4c1c

SHA1
50d33c320a52dcac048172ebbaf5d29063997902

SHA256
696d238c825e2f1beb0c2be5e24db8359ec0ba2fe2089e698e3829db3736a3e6

SHA512
758e257140e2af4f399ae2f690b5670df3339bfbef5b92e30e5748e50da2e4eb8d3d70971698769a779e0f95656113edf474bc56eacfe7cf702f064565e37557

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
2c29a4dc89bec42478b2ef15ee40c896

SHA1
bf3fafba95e27cac81c30b183801a9aa846e13b2

SHA256
5e27ffb8f1b929a1854d03ed4810fb8ebfe610d0cd10917c3c7284e6f536545a

SHA512
239c5be9e745a7bb1eaa589479bd8f6af2e149a5d852519f55e2b881026dedecab24b32893a33933dd8138a7af617b3b8106563549fc982bdf4a1946d6fcc852

Download Submit
memory/844-130-0x0000000000000000-mapping.dmp

Download
memory/4876-131-0x0000000000000000-mapping.dmp

Download