wannacry | 51c5225c4bf368296754697e310f1583300b5e85748be40dca5ff5647df4f8dc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3df6e06d7f6270903dda0e9e0da7ff6e.dll
Size

5.0MB
MD5

3df6e06d7f6270903dda0e9e0da7ff6e
SHA1

29dcb3b3b9f9e5f6679ba6fa32531d4d92f567fb
SHA256

51c5225c4bf368296754697e310f1583300b5e85748be40dca5ff5647df4f8dc
SHA512

0cf97a1361b5b73569c4497958091b298c2c29c85ad734078165fbe0cb86c9776bd33463dbd7ecda8d147544d771b1ca6b8751bfc8135cb70eb257f211de3e94
SSDEEP

49152:snjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:M8qPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3301) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2184 mssecsvc.exe
2108 mssecsvc.exe
4092 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2184	mssecsvc.exe
2108	mssecsvc.exe
4092	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4952 wrote to memory of 1368	4952	rundll32.exe	rundll32.exe
PID 4952 wrote to memory of 1368	4952	rundll32.exe	rundll32.exe
PID 4952 wrote to memory of 1368	4952	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 2184	1368	rundll32.exe	mssecsvc.exe
PID 1368 wrote to memory of 2184	1368	rundll32.exe	mssecsvc.exe
PID 1368 wrote to memory of 2184	1368	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3df6e06d7f6270903dda0e9e0da7ff6e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3df6e06d7f6270903dda0e9e0da7ff6e.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1368

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2184

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4092

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
d2deffafa88eed37f5263b395767fd0b

SHA1
cf96cad2f905f022e59d1345fe211984dae32321

SHA256
71431f1a52800c3b1c0f6e7de9241089e0864d1e059b89504a15c3d2565bde66

SHA512
832d7bf0ba6425e265cf7e203ae4facfce4a19e07353fd69d036c557f1b1561a29dea4abc1fce0032bdd8b6cc97cd3fb7fbe0d2684d8df0edb2fb6b5dfbe4b25

Download Submit
memory/1368-132-0x0000000000000000-mapping.dmp

Download
memory/2108-140-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/2108-141-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/2184-133-0x0000000000000000-mapping.dmp

Download
memory/2184-136-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/2184-139-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download