wannacry | b6f12ee8bf35f88f75f273efa51b5f7145a0788046db118031c56cf76d28c9b3

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2022 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03a5fa4484f00c7b2f7f8fb47adc5c9b.dll
Size

5.0MB
MD5

03a5fa4484f00c7b2f7f8fb47adc5c9b
SHA1

14b9afb09e86eb6be0a6fbf21c8b049cdc97c141
SHA256

b6f12ee8bf35f88f75f273efa51b5f7145a0788046db118031c56cf76d28c9b3
SHA512

14eecf96b091d9a7d3c67d83ba8a2b4eccd1afe0d69fcb503345efabb96f583f79f3d1f5f22ca845b2dccc0ac2fad9104e73ff6e86b0cb3ed51037f5c30db8bd
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhv593R8yAVp2H:+DqPe1Cxcxk3ZAE/R8yc4H

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1736 mssecsvc.exe
4164 mssecsvc.exe
224 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1736	mssecsvc.exe
4164	mssecsvc.exe
224	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4376 wrote to memory of 4972	4376	rundll32.exe	rundll32.exe
PID 4376 wrote to memory of 4972	4376	rundll32.exe	rundll32.exe
PID 4376 wrote to memory of 4972	4376	rundll32.exe	rundll32.exe
PID 4972 wrote to memory of 1736	4972	rundll32.exe	mssecsvc.exe
PID 4972 wrote to memory of 1736	4972	rundll32.exe	mssecsvc.exe
PID 4972 wrote to memory of 1736	4972	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03a5fa4484f00c7b2f7f8fb47adc5c9b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03a5fa4484f00c7b2f7f8fb47adc5c9b.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4972

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1736

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:224

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
bdbe78fe7b331fe93e189a1c2d6ef552

SHA1
be26b61244742ffd6890baec18ecb554363b7261

SHA256
6de52192df48d902a75efd787573c771eb799bf0aba7a32963e761fdc9114f15

SHA512
84a7bf9d30f8b1eaad4f1055c91dd030474f6840c1e632aa42dbc03a29a9a173a81c7c9139db5fe2f3e30108dc24a83bcaa90988178d311c1b24450bf70e7588

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
bdbe78fe7b331fe93e189a1c2d6ef552

SHA1
be26b61244742ffd6890baec18ecb554363b7261

SHA256
6de52192df48d902a75efd787573c771eb799bf0aba7a32963e761fdc9114f15

SHA512
84a7bf9d30f8b1eaad4f1055c91dd030474f6840c1e632aa42dbc03a29a9a173a81c7c9139db5fe2f3e30108dc24a83bcaa90988178d311c1b24450bf70e7588

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
bdbe78fe7b331fe93e189a1c2d6ef552

SHA1
be26b61244742ffd6890baec18ecb554363b7261

SHA256
6de52192df48d902a75efd787573c771eb799bf0aba7a32963e761fdc9114f15

SHA512
84a7bf9d30f8b1eaad4f1055c91dd030474f6840c1e632aa42dbc03a29a9a173a81c7c9139db5fe2f3e30108dc24a83bcaa90988178d311c1b24450bf70e7588

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
d1168ccc82d6d7a24436ca0275e9404b

SHA1
e4cd895c95323ab7bd822525939b67416cd85638

SHA256
f10bef260b7b62e11575891f3c62144607a3092729a2099215b3ae2fba2a09d7

SHA512
3560e420a3de4b81b6f3ae9b4aef916bcd8a7ed6a5249d7ff14abefd2c6c47d3c134fea45437b1945d875609b95fe422395244eb60ad644c115168bd356a24bf

Download Submit
memory/1736-133-0x0000000000000000-mapping.dmp

Download
memory/4972-132-0x0000000000000000-mapping.dmp

Download