wannacry | 6bd2a4b827fca97495f84003e0eeeaef927e331e79f16c321950c0d12e5d15e0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1c0a9deb5cb9034a2acb5201cdcccf0.dll
Size

5.0MB
MD5

e1c0a9deb5cb9034a2acb5201cdcccf0
SHA1

0f52a01b9e3356b3456d2ad53835d2f38575d321
SHA256

6bd2a4b827fca97495f84003e0eeeaef927e331e79f16c321950c0d12e5d15e0
SHA512

1139098c042cd845be9b5eb8cf1379bd722a65e067a7d53e6e8d95ff27894c223230fd8360b32f01736362043ca62a35ec54e79c173886816772ff548df5c96c

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3237) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4276 mssecsvc.exe
4608 mssecsvc.exe
968 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4276	mssecsvc.exe
4608	mssecsvc.exe
968	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4192 wrote to memory of 5028	4192	rundll32.exe	rundll32.exe
PID 4192 wrote to memory of 5028	4192	rundll32.exe	rundll32.exe
PID 4192 wrote to memory of 5028	4192	rundll32.exe	rundll32.exe
PID 5028 wrote to memory of 4276	5028	rundll32.exe	mssecsvc.exe
PID 5028 wrote to memory of 4276	5028	rundll32.exe	mssecsvc.exe
PID 5028 wrote to memory of 4276	5028	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1c0a9deb5cb9034a2acb5201cdcccf0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1c0a9deb5cb9034a2acb5201cdcccf0.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5028

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4276

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:968

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
002cb612960871cb0800de7584cb18ac

SHA1
2c25382189382dd81ab6d8bc72a5775b61c8a6a4

SHA256
be0e95c40aea3b9cf9d1fde259ae35f5db4e04442dd4be8d4e533465127546c0

SHA512
8c3c0331580fff1787ca17084fef50ee293dd979f596fbeb529be4a92ea708e1b905ac3c6e9c0a4e0d7cf4e468b0c1058a99d85a41af266e23a5293d78d5a160

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
002cb612960871cb0800de7584cb18ac

SHA1
2c25382189382dd81ab6d8bc72a5775b61c8a6a4

SHA256
be0e95c40aea3b9cf9d1fde259ae35f5db4e04442dd4be8d4e533465127546c0

SHA512
8c3c0331580fff1787ca17084fef50ee293dd979f596fbeb529be4a92ea708e1b905ac3c6e9c0a4e0d7cf4e468b0c1058a99d85a41af266e23a5293d78d5a160

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
002cb612960871cb0800de7584cb18ac

SHA1
2c25382189382dd81ab6d8bc72a5775b61c8a6a4

SHA256
be0e95c40aea3b9cf9d1fde259ae35f5db4e04442dd4be8d4e533465127546c0

SHA512
8c3c0331580fff1787ca17084fef50ee293dd979f596fbeb529be4a92ea708e1b905ac3c6e9c0a4e0d7cf4e468b0c1058a99d85a41af266e23a5293d78d5a160

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7d1a1e425c3a214a649013d89e82d6b4

SHA1
b695fd52830c6124b1799d0ba0d256fbd786a2f7

SHA256
3743d8bb3d584eb76a7e74dcc199b2674a4dc77a72c9236e1f3ebc5eaf51c7d6

SHA512
ab939c536bf339a70dab35178fdb90919c98bc0e3bf7982380390a6b8bd769e120dff9406db781a852b9da1bcc998bfd6df5f46bb5e8b91621b87a69d436f79f

Download Submit
memory/4276-131-0x0000000000000000-mapping.dmp

Download
memory/4276-134-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4276-137-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4608-138-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/4608-139-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/5028-130-0x0000000000000000-mapping.dmp

Download