wannacry | e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll
Size

5.0MB
MD5

46273765ba551414751b787b45b9362d
SHA1

61f746ee0c72970ebb11d56019ae297750d7b649
SHA256

e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1
SHA512

e9d46361b429fa3aeb126f0492a715aa5f06ad580fb8b3464be1cb324664a7a41cffcb1aea25a976a4336eee0e15cfaa804e36d19d4213b6173c58e7d5036886

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (2638) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4780 mssecsvc.exe
4520 mssecsvc.exe
1804 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4780	mssecsvc.exe
4520	mssecsvc.exe
1804	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4180 wrote to memory of 4776	4180	rundll32.exe	rundll32.exe
PID 4180 wrote to memory of 4776	4180	rundll32.exe	rundll32.exe
PID 4180 wrote to memory of 4776	4180	rundll32.exe	rundll32.exe
PID 4776 wrote to memory of 4780	4776	rundll32.exe	mssecsvc.exe
PID 4776 wrote to memory of 4780	4776	rundll32.exe	mssecsvc.exe
PID 4776 wrote to memory of 4780	4776	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4776

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4780

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1804

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
9f2febd6d18a6ce6227a470ac3cefe7c

SHA1
b42ad909f382aa3af976e65e0fc0b31ba2ed171e

SHA256
a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0

SHA512
241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
9f2febd6d18a6ce6227a470ac3cefe7c

SHA1
b42ad909f382aa3af976e65e0fc0b31ba2ed171e

SHA256
a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0

SHA512
241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
9f2febd6d18a6ce6227a470ac3cefe7c

SHA1
b42ad909f382aa3af976e65e0fc0b31ba2ed171e

SHA256
a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0

SHA512
241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
0a05a5da7327c4e5086d3c393fb890d9

SHA1
3b22803e310a65a509d9ed721b56da389e508831

SHA256
e557d37e7763d698cfad36992f2cae832b49d56ac988e67dfe83edf348735d19

SHA512
5a792c4a62568b2ef5a4cd17e739e6237b38f7c2e167337a6cfb5d358fa33871fe8df8eb7ecf7a4dba59f82549088c22530d68deccccb4259280860335273c80

Download Submit
memory/4776-130-0x0000000000000000-mapping.dmp

Download
memory/4780-131-0x0000000000000000-mapping.dmp

Download