wannacry | b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83

Analysis

max time kernel
154s
max time network
161s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83.dll
Size

5.0MB
MD5

5cfb415656b90415c61f63f926687bba
SHA1

38f948257e65bce017effb1dd4166b45857a8664
SHA256

b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83
SHA512

12a7ceecd273801afb49e464b8f9365de6c0f28474bfdb80692b63e5b5a534150e494d518dc0a89b0022b12cb090b55184ea44e04586c828120c8653cd3a32bf
SSDEEP

12288:ywbLgPluxQhMbaIMk3CgvggHOTcjys758YJM0Q4sYWs7GRaocwj:JbLgdeQhfdk3Cg4gycjys7xG

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1232) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

888 mssecsvc.exe
572 mssecsvc.exe
268 tasksche.exe

pid	process
888	mssecsvc.exe
572	mssecsvc.exe
268	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1116 wrote to memory of 1692	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 1692	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 1692	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 1692	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 1692	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 1692	1116	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 1692	1116	rundll32.exe	rundll32.exe
PID 1692 wrote to memory of 888	1692	rundll32.exe	mssecsvc.exe
PID 1692 wrote to memory of 888	1692	rundll32.exe	mssecsvc.exe
PID 1692 wrote to memory of 888	1692	rundll32.exe	mssecsvc.exe
PID 1692 wrote to memory of 888	1692	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1692

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:888

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:268

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
304c244de941e6822cd124d7a13e11db

SHA1
a81747913ef9bd9079bcb87c97ac79e8050b3529

SHA256
26976b3366452c0b547f8c95e0e7253e68f290e9c3fe96be328ec72903cf17cf

SHA512
bb71534d28bde826132684d55bf8d9f70ccc90c2b74b354b3abfe2bef0d7b29693702b2d20f2793f3dbb558773e3409f4bfb308b1168266dc039854dbf1aa20c

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
304c244de941e6822cd124d7a13e11db

SHA1
a81747913ef9bd9079bcb87c97ac79e8050b3529

SHA256
26976b3366452c0b547f8c95e0e7253e68f290e9c3fe96be328ec72903cf17cf

SHA512
bb71534d28bde826132684d55bf8d9f70ccc90c2b74b354b3abfe2bef0d7b29693702b2d20f2793f3dbb558773e3409f4bfb308b1168266dc039854dbf1aa20c

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
304c244de941e6822cd124d7a13e11db

SHA1
a81747913ef9bd9079bcb87c97ac79e8050b3529

SHA256
26976b3366452c0b547f8c95e0e7253e68f290e9c3fe96be328ec72903cf17cf

SHA512
bb71534d28bde826132684d55bf8d9f70ccc90c2b74b354b3abfe2bef0d7b29693702b2d20f2793f3dbb558773e3409f4bfb308b1168266dc039854dbf1aa20c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f02b23daefdd0fca354f7349339d98b8

SHA1
9df8d46f307540832d3163d834978a3f2cdfd6df

SHA256
cf2265768a9db3913740f9b11c47f2382a35e80c1c002c7d36110438042f6298

SHA512
ca5611872f0b0941a4874c1f3b22a57c266c7686409065e9569ad3e18ea731769ed3a75652ea9c6b7f5b352f8925bf37b0f7264fac2a4b6c69356819cf8915ce

Download Submit
memory/888-56-0x0000000000000000-mapping.dmp

Download
memory/1692-54-0x0000000000000000-mapping.dmp

Download
memory/1692-55-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download