wannacry | 495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c

Analysis

max time kernel
183s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 03:41

Target

495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c.dll
Size

5.0MB
MD5

a51beb6c0ac1650cc9161d77a7b4ffe4
SHA1

140e7d3e026ed3e9372630792966943cafdf7d8c
SHA256

495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c
SHA512

6c319dc91ebb2f1808bb9e7eb3ee1beaa5357e334250802ac173fd73bbca267160b2bfac6db13b4468868b7ed05fd0e34baad54c2bb540140296d9ddb10e6030
SSDEEP

24576:ubLgurgDdmMSirYbcMNgef0QeQjG/D8kIqYmiHkQg65ASk+RdhAdmvctA0p+9XEk:unsEMSPbcBVQej/s1HkQrAARdhnvoAH

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (758) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

4256 mssecsvr.exe
2812 mssecsvr.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
4256	mssecsvr.exe
2812	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3844 wrote to memory of 4400	3844	rundll32.exe	rundll32.exe
PID 3844 wrote to memory of 4400	3844	rundll32.exe	rundll32.exe
PID 3844 wrote to memory of 4400	3844	rundll32.exe	rundll32.exe
PID 4400 wrote to memory of 4256	4400	rundll32.exe	mssecsvr.exe
PID 4400 wrote to memory of 4256	4400	rundll32.exe	mssecsvr.exe
PID 4400 wrote to memory of 4256	4400	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3844

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\WINDOWS\mssecsvr.exe
Filesize
3.6MB

MD5
b9d9625066a34cc108ca55ea141c624a

SHA1
4f51a129f39bb40a84f004997ceac9c6ac3fcd36

SHA256
363392deccfedda47ab0c639ffb37d5ebedb3218448ba1a8b80349382e3d2b00

SHA512
63fc7643dbae65c8996b8d3713c218703f542b7add86f260e6760c4601809c79a1a750fe7291bac3c8e0e822792923277cfcf7e6e1b195c4843638014219da0b

Download Submit
C:\Windows\mssecsvr.exe
Filesize
3.6MB

MD5
b9d9625066a34cc108ca55ea141c624a

SHA1
4f51a129f39bb40a84f004997ceac9c6ac3fcd36

SHA256
363392deccfedda47ab0c639ffb37d5ebedb3218448ba1a8b80349382e3d2b00

SHA512
63fc7643dbae65c8996b8d3713c218703f542b7add86f260e6760c4601809c79a1a750fe7291bac3c8e0e822792923277cfcf7e6e1b195c4843638014219da0b

Download Submit
C:\Windows\mssecsvr.exe
Filesize
3.6MB

MD5
b9d9625066a34cc108ca55ea141c624a

SHA1
4f51a129f39bb40a84f004997ceac9c6ac3fcd36

SHA256
363392deccfedda47ab0c639ffb37d5ebedb3218448ba1a8b80349382e3d2b00

SHA512
63fc7643dbae65c8996b8d3713c218703f542b7add86f260e6760c4601809c79a1a750fe7291bac3c8e0e822792923277cfcf7e6e1b195c4843638014219da0b

Download Submit
memory/4256-133-0x0000000000000000-mapping.dmp

Download
memory/4400-132-0x0000000000000000-mapping.dmp

Download