wannacry | 9bfd0ee288665f94b99c0bea0d7bdc55521fa761a2a8e0390481bf3a3f210cf7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:18

Target

833673f1109f028b77a5703bdd180bda.dll
Size

5.0MB
MD5

833673f1109f028b77a5703bdd180bda
SHA1

c182af79cac9592bb4b4bbe5f507e70fe98e08ca
SHA256

9bfd0ee288665f94b99c0bea0d7bdc55521fa761a2a8e0390481bf3a3f210cf7
SHA512

29eda75865243498b123c7fe5c6b7b3bba40e5838dc41b27fabaa6b3c52bf81f824da3a51ece3ba5a978ca3e3b540c027cadec769d418d37104800f164908c24

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3184) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

2732 mssecsvr.exe
1808 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
2732	mssecsvr.exe
1808	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3064 wrote to memory of 3840	3064	rundll32.exe	rundll32.exe
PID 3064 wrote to memory of 3840	3064	rundll32.exe	rundll32.exe
PID 3064 wrote to memory of 3840	3064	rundll32.exe	rundll32.exe
PID 3840 wrote to memory of 2732	3840	rundll32.exe	mssecsvr.exe
PID 3840 wrote to memory of 2732	3840	rundll32.exe	mssecsvr.exe
PID 3840 wrote to memory of 2732	3840	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\833673f1109f028b77a5703bdd180bda.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3064

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\mssecsvr.exe

Filesize
3.6MB

MD5
7bf8e812377b14c873b0a5c857ee0346

SHA1
05097523b6ac26a12ec1ed6a21ef11f153be2dd4

SHA256
0fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330

SHA512
d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a

Download Submit
C:\Windows\mssecsvr.exe

Filesize
3.6MB

MD5
7bf8e812377b14c873b0a5c857ee0346

SHA1
05097523b6ac26a12ec1ed6a21ef11f153be2dd4

SHA256
0fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330

SHA512
d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a

Download Submit
C:\Windows\mssecsvr.exe

Filesize
3.6MB

MD5
7bf8e812377b14c873b0a5c857ee0346

SHA1
05097523b6ac26a12ec1ed6a21ef11f153be2dd4

SHA256
0fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330

SHA512
d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a

Download Submit
memory/2732-131-0x0000000000000000-mapping.dmp

Download
memory/3840-130-0x0000000000000000-mapping.dmp

Download