wannacry | 6da6e0b44a80512d686d3fef1d67ae930f29169bc369e0f06e01a2de2b46e953

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9faf2402c6822dd5b60f007cfe85abba.dll
Size

5.0MB
MD5

9faf2402c6822dd5b60f007cfe85abba
SHA1

301e8ef9b2b3c8220624e1c91e4b7cc73c2432cb
SHA256

6da6e0b44a80512d686d3fef1d67ae930f29169bc369e0f06e01a2de2b46e953
SHA512

718f8a17e1275312c063351b8bb83e9612d9a0026840b53495460b712809eb4de59926a9cd9cc1a438b2b431479b75cd8d8f15df314abdd37e93fa12bd71cd35

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3153) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

4464 mssecsvr.exe
3652 mssecsvr.exe
4580 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
4464	mssecsvr.exe
3652	mssecsvr.exe
4580	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4616 wrote to memory of 4420	4616	rundll32.exe	rundll32.exe
PID 4616 wrote to memory of 4420	4616	rundll32.exe	rundll32.exe
PID 4616 wrote to memory of 4420	4616	rundll32.exe	rundll32.exe
PID 4420 wrote to memory of 4464	4420	rundll32.exe	mssecsvr.exe
PID 4420 wrote to memory of 4464	4420	rundll32.exe	mssecsvr.exe
PID 4420 wrote to memory of 4464	4420	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9faf2402c6822dd5b60f007cfe85abba.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9faf2402c6822dd5b60f007cfe85abba.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4420

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4464

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4580

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe

Filesize
2.2MB

MD5
d9b3554d96952f1b16252c1811b3b21a

SHA1
23532544f6a27b155ca180be612324de89847b98

SHA256
f489c64c817e66f15478f2eb3f8b444fe402ef6251380da7ba6ff363a1c75f2e

SHA512
4e6d6f15f8a5674a8d28427b148bb0cd225d237c634c6596834a19ec63d68197cb4406cd1fc0303f7ee0c62feeb2a139c8f2ecf5422dffb0905de6dc96ac32e2

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
d9b3554d96952f1b16252c1811b3b21a

SHA1
23532544f6a27b155ca180be612324de89847b98

SHA256
f489c64c817e66f15478f2eb3f8b444fe402ef6251380da7ba6ff363a1c75f2e

SHA512
4e6d6f15f8a5674a8d28427b148bb0cd225d237c634c6596834a19ec63d68197cb4406cd1fc0303f7ee0c62feeb2a139c8f2ecf5422dffb0905de6dc96ac32e2

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
d9b3554d96952f1b16252c1811b3b21a

SHA1
23532544f6a27b155ca180be612324de89847b98

SHA256
f489c64c817e66f15478f2eb3f8b444fe402ef6251380da7ba6ff363a1c75f2e

SHA512
4e6d6f15f8a5674a8d28427b148bb0cd225d237c634c6596834a19ec63d68197cb4406cd1fc0303f7ee0c62feeb2a139c8f2ecf5422dffb0905de6dc96ac32e2

Download Submit
C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
9b19ad1982ad5c0189ac79dfdf8ae986

SHA1
7ef669cdc7389e79e9206a0239978c588b7e6931

SHA256
c34d78817409c59cf2bc802532bc6b2abe884c2b3e67ff17830b1ae518b844f2

SHA512
f7c5821f0792923b75a775677ef1c41523b3411b7e4803c8cfbc6d7f67468f1f1d1c4670ce4b46731621f099c7ffdace32709c7985454d01405d9d58e8b15995

Download Submit
memory/4420-130-0x0000000000000000-mapping.dmp

Download
memory/4464-131-0x0000000000000000-mapping.dmp

Download