Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 11:49
Static task
static1
Behavioral task
behavioral1
Sample
Win32.Wannacry.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Win32.Wannacry.dll
Resource
win10v2004-20220812-en
General
-
Target
Win32.Wannacry.dll
-
Size
5.0MB
-
MD5
30fe2f9a048d7a734c8d9233f64810ba
-
SHA1
2027a053de21bd5c783c3f823ed1d36966780ed4
-
SHA256
55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3
-
SHA512
b657b02506f768db3255293b0c86452b4dfdd30804629c323aaa9510a3b637b0906e5963179ef7d4aaedc14646f2be2b4292e6584a6c55c6ddb596cff7f20e2a
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3760 mssecsvc.exe 2280 mssecsvc.exe 2604 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
taskmgr.exepid process 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3860 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 3860 taskmgr.exe Token: SeSystemProfilePrivilege 3860 taskmgr.exe Token: SeCreateGlobalPrivilege 3860 taskmgr.exe Token: 33 3860 taskmgr.exe Token: SeIncBasePriorityPrivilege 3860 taskmgr.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
Processes:
taskmgr.exepid process 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
Processes:
taskmgr.exepid process 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe 3860 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4664 wrote to memory of 4860 4664 rundll32.exe rundll32.exe PID 4664 wrote to memory of 4860 4664 rundll32.exe rundll32.exe PID 4664 wrote to memory of 4860 4664 rundll32.exe rundll32.exe PID 4860 wrote to memory of 3760 4860 rundll32.exe mssecsvc.exe PID 4860 wrote to memory of 3760 4860 rundll32.exe mssecsvc.exe PID 4860 wrote to memory of 3760 4860 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Win32.Wannacry.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Win32.Wannacry.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD590a1e06d78737b9a87e8ea42f76e2544
SHA1785ddf8bd3add2da415cbc7c39aab7eb21407d20
SHA256e1bee0f7a7cd0ac8659033d9e67bfc83ae03843ed30dff8ca590f916604a6de7
SHA51240ee623eb975b3890d3e8260e76963d078a7734c040d4151fa0cf11fd6e2421f5ea609f67922a51c6df7a09f077087361586d5f40208bc97ee70531e2a3df5be
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD590a1e06d78737b9a87e8ea42f76e2544
SHA1785ddf8bd3add2da415cbc7c39aab7eb21407d20
SHA256e1bee0f7a7cd0ac8659033d9e67bfc83ae03843ed30dff8ca590f916604a6de7
SHA51240ee623eb975b3890d3e8260e76963d078a7734c040d4151fa0cf11fd6e2421f5ea609f67922a51c6df7a09f077087361586d5f40208bc97ee70531e2a3df5be
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD590a1e06d78737b9a87e8ea42f76e2544
SHA1785ddf8bd3add2da415cbc7c39aab7eb21407d20
SHA256e1bee0f7a7cd0ac8659033d9e67bfc83ae03843ed30dff8ca590f916604a6de7
SHA51240ee623eb975b3890d3e8260e76963d078a7734c040d4151fa0cf11fd6e2421f5ea609f67922a51c6df7a09f077087361586d5f40208bc97ee70531e2a3df5be
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50df2ae526d7350c2e3d1383c07a6be04
SHA106c4d41c60736ea1e0bb1b095536499e05068442
SHA25610111f53da4181d548ea77cc91f02a15b9ede3f111f074230761f2afee7cd637
SHA5129ca1ca36dcefdb1eba3152bc2d14c9dceb3360960338d13db5f8a02327aef80cb0ab238c2c1f3d2dbd7fd75124d4199b5cd63f173a09a0dea212ebb265f8453d
-
memory/3760-133-0x0000000000000000-mapping.dmp
-
memory/4860-132-0x0000000000000000-mapping.dmp