wannacry | 1fac100d4c262c460a3028c417d0793fdc97dee5e4330cf44cb61e3347e58059

General

Target

1fac100d4c262c460a3028c417d0793fdc97dee5e4330cf44cb61e3347e58059.dll
Size

5.0MB
MD5

c335ac7e229f289831b9a8d849a5ac8d
SHA1

2a389f32d429343a0bd58bbff71a9931d132dc70
SHA256

1fac100d4c262c460a3028c417d0793fdc97dee5e4330cf44cb61e3347e58059
SHA512

3dc3cf7878cf26831b229adc38402cdfdd7ee0e1aaacff1e17e53325b2184cd22ef78f1551c129927c86dd49fa7eb1347554f78a1528fa7affdc5b7692ef190b

Score

10^/10

wannacry ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1928 mssecsvc.exe
1684 mssecsvc.exe
908 tasksche.exe

pid	process
1928	mssecsvc.exe
1684	mssecsvc.exe
908	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-23-d3-12-a6-88	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-23-d3-12-a6-88\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-23-d3-12-a6-88\WpadDecisionTime = 10d52273b37ed801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{857A3553-8A48-49A7-9178-1C132D1C3FDE}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{857A3553-8A48-49A7-9178-1C132D1C3FDE}\WpadNetworkName = "Network 2"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0093000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{857A3553-8A48-49A7-9178-1C132D1C3FDE}\WpadDecisionTime = 10d52273b37ed801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{857A3553-8A48-49A7-9178-1C132D1C3FDE}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{857A3553-8A48-49A7-9178-1C132D1C3FDE}\72-23-d3-12-a6-88	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-23-d3-12-a6-88\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{857A3553-8A48-49A7-9178-1C132D1C3FDE}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1260 wrote to memory of 1656	1260	rundll32.exe	rundll32.exe
PID 1260 wrote to memory of 1656	1260	rundll32.exe	rundll32.exe
PID 1260 wrote to memory of 1656	1260	rundll32.exe	rundll32.exe
PID 1260 wrote to memory of 1656	1260	rundll32.exe	rundll32.exe
PID 1260 wrote to memory of 1656	1260	rundll32.exe	rundll32.exe
PID 1260 wrote to memory of 1656	1260	rundll32.exe	rundll32.exe
PID 1260 wrote to memory of 1656	1260	rundll32.exe	rundll32.exe
PID 1656 wrote to memory of 1928	1656	rundll32.exe	mssecsvc.exe
PID 1656 wrote to memory of 1928	1656	rundll32.exe	mssecsvc.exe
PID 1656 wrote to memory of 1928	1656	rundll32.exe	mssecsvc.exe
PID 1656 wrote to memory of 1928	1656	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fac100d4c262c460a3028c417d0793fdc97dee5e4330cf44cb61e3347e58059.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fac100d4c262c460a3028c417d0793fdc97dee5e4330cf44cb61e3347e58059.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1656

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1928

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:908

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
90024d3e79ad84afc0b084f84112eddd

SHA1
1c36cf9db5129f930c90c6036a27bd9d46fc9ef0

SHA256
5b3d12263a030961985b28b50510e66ff4540d98006ac0b604d7337a73ca7d56

SHA512
9ef0db9fab5729524edba55b56a0b7f05ab0881bbb9f3e32175b0921926c58b4f7c4fdcb5e67b1f69931cdac4976a0672df13f6ae9889ac2b595b6e6fd9b2a9d

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
90024d3e79ad84afc0b084f84112eddd

SHA1
1c36cf9db5129f930c90c6036a27bd9d46fc9ef0

SHA256
5b3d12263a030961985b28b50510e66ff4540d98006ac0b604d7337a73ca7d56

SHA512
9ef0db9fab5729524edba55b56a0b7f05ab0881bbb9f3e32175b0921926c58b4f7c4fdcb5e67b1f69931cdac4976a0672df13f6ae9889ac2b595b6e6fd9b2a9d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b3b959b279d90ab707370beca99a316c

SHA1
2aed55bc2ece3967405dc479405cf89557582ea2

SHA256
3156c6f1e31bcb4ecfd811c18b27fd3195ca93c0ef48bcf50132d64713a7d31c

SHA512
499e0133b8f21cb8ed0de09a81d70adbe2d9ff36f5f186140e31844b11793c70f0cb0a8c81d7e7cba309e3073b31ea2da7ede97c29b467c49b5d2b63a68611ba

Download Submit
memory/1656-54-0x0000000000000000-mapping.dmp

Download
memory/1656-55-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/1928-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads