wannacry | debb3e5fcf40bb8a9fbc5175607ab6c2efe4f444c230f968552dc8c467f6fd8b

Analysis

max time kernel
77s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

debb3e5fcf40bb8a9fbc5175607ab6c2efe4f444c230f968552dc8c467f6fd8b.dll
Size

5.0MB
MD5

015362445a39c40edbe754fba2287fcd
SHA1

3d063a1b1b5b426ae5bbffd21d5c38037289f662
SHA256

debb3e5fcf40bb8a9fbc5175607ab6c2efe4f444c230f968552dc8c467f6fd8b
SHA512

ef95c7dca4660db40d5bc038c2251be0dedd85707627c8d30fc8cc933d35604fd7437ebe739922d9d5bcd77d22723eed19aa3447c4a34a87b2638e35ca06faa0
SSDEEP

12288:yebLgPlu+QhMbaIMu7L5N5b0Xo3LL003amJAm:zbLgddQhfdmngB

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1887) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Executes dropped EXE 3 IoCs

pid	Process
5060	mssecsvc.exe
4912	mssecsvc.exe
3112	tasksche.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2720	4616	rundll32.exe	22
PID 4616 wrote to memory of 2720	4616	rundll32.exe	22
PID 4616 wrote to memory of 2720	4616	rundll32.exe	22
PID 2720 wrote to memory of 5060	2720	rundll32.exe	82
PID 2720 wrote to memory of 5060	2720	rundll32.exe	82
PID 2720 wrote to memory of 5060	2720	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\debb3e5fcf40bb8a9fbc5175607ab6c2efe4f444c230f968552dc8c467f6fd8b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\debb3e5fcf40bb8a9fbc5175607ab6c2efe4f444c230f968552dc8c467f6fd8b.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5060
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3112

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
1.2MB

MD5
5d275712102c622a798feafc8f5fe5b2

SHA1
8a0acde3bd5dee918a32842ca9758494b038feff

SHA256
37e6c6eeaf3cfb7a885670bdb6cdc645779bfff7ed69a6ca911ddfda344abb50

SHA512
c2f56a2c0f164cb3d3a17e2a77298239c5e6487af0cb9e1aed19a5d80bb69b7aa20fae6588ea581b8607a9232f1cae399faeb9857178e3c5887bd0686b8158de

Download Submit
C:\Windows\mssecsvc.exe

Filesize
1.2MB

MD5
c883f39afe6a497e28c63d9342e07ab0

SHA1
f948d8e6c98e4f8aae60db097c573bafc044a7ad

SHA256
e45f298a78621d8c10945443782b274b627b178ac755ca82a40c751feaef00a2

SHA512
9b5c26a748e02d43041acd736f9e3c6b1d22a6a7ca75e8d6a11743b351ca9275f8981bda7cbf61ea97331d77fc1aac2647de89b91882ba166febba525bbe8b01

Download Submit
C:\Windows\mssecsvc.exe

Filesize
1.4MB

MD5
31062a8eae82712ac534c7357092baba

SHA1
b49679cace744f2c5a3eaf7ab9bcae2380bd295f

SHA256
95c59dfcaab20b41242b5eadc59907f372fa774a000a778b400a25a7cf7281b8

SHA512
82838752ff314a8bf8ad1d6d62acd3a297c7f8175daccfcdee23f1675191a9a023fa8b54f2836cf88973f0107d2e05a17be12728d5a12faf0a5a8586517d52dd

Download Submit
C:\Windows\tasksche.exe

Filesize
1021KB

MD5
65ea72549b26d27be11190a728324bb5

SHA1
a3a5146c5f25171b8276a4d35cb1e634e908f103

SHA256
719376506c3cf78b9ee5e1f48937a47c61cabd917bb595caf88142214fd17631

SHA512
52dba13ca683fa4a32c88e82c3af4d84a67c71cc911e78b2664a26d71b4ae231936663992d7956604b1810189fd4c63b057699b22c463ef74ec3eccbd36d5aac

Download Submit