wannacry | 66548a8697f332940ab65a1132538d05b7336a5d36b80c91092d134dd9fb4993

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:21

Target

c130f2f25837763dfa434515da012899.dll
Size

5.0MB
MD5

c130f2f25837763dfa434515da012899
SHA1

d945495370cff499276c5df54b9a6b43cb796ed0
SHA256

66548a8697f332940ab65a1132538d05b7336a5d36b80c91092d134dd9fb4993
SHA512

92d7d8a1e928b9ac607bfa40378b38d3f9ca51722b3fa9aad63b6c969b84679c6e5d2a24bfbe88a4f31064ef13c1ea13e9342940bc7e7d08a05dddf2c6b00529

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3335) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

4968 mssecsvr.exe
4756 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
4968	mssecsvr.exe
4756	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3836 wrote to memory of 4344	3836	rundll32.exe	rundll32.exe
PID 3836 wrote to memory of 4344	3836	rundll32.exe	rundll32.exe
PID 3836 wrote to memory of 4344	3836	rundll32.exe	rundll32.exe
PID 4344 wrote to memory of 4968	4344	rundll32.exe	mssecsvr.exe
PID 4344 wrote to memory of 4968	4344	rundll32.exe	mssecsvr.exe
PID 4344 wrote to memory of 4968	4344	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c130f2f25837763dfa434515da012899.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3836

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
96458f4a3f076ef0935459cf534e78e5

SHA1
71aaabd5bb6d6022a99a8e6a1935f27ef7ac52af

SHA256
5b47d5054953c34f443a521ea4ecb5fe28394ce0aac2410ea9a14274db0b7090

SHA512
eda43c7f2ee2cd644e1a21d262040b1fcf5a6895991c86054bcddf5ae5365b2efaee27077c9dbca93b830eec39847d1d09978233da432f856115a1a79aa893a6

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
96458f4a3f076ef0935459cf534e78e5

SHA1
71aaabd5bb6d6022a99a8e6a1935f27ef7ac52af

SHA256
5b47d5054953c34f443a521ea4ecb5fe28394ce0aac2410ea9a14274db0b7090

SHA512
eda43c7f2ee2cd644e1a21d262040b1fcf5a6895991c86054bcddf5ae5365b2efaee27077c9dbca93b830eec39847d1d09978233da432f856115a1a79aa893a6

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
96458f4a3f076ef0935459cf534e78e5

SHA1
71aaabd5bb6d6022a99a8e6a1935f27ef7ac52af

SHA256
5b47d5054953c34f443a521ea4ecb5fe28394ce0aac2410ea9a14274db0b7090

SHA512
eda43c7f2ee2cd644e1a21d262040b1fcf5a6895991c86054bcddf5ae5365b2efaee27077c9dbca93b830eec39847d1d09978233da432f856115a1a79aa893a6

Download Submit
memory/4344-130-0x0000000000000000-mapping.dmp

Download
memory/4968-131-0x0000000000000000-mapping.dmp

Download