wannacry | 2c5a1a2aea7f263f2cbb063f45badccd7165b35de48c67247bf8038ff9c2f623

General

Target

2c5a1a2aea7f263f2cbb063f45badccd7165b35de48c67247bf8038ff9c2f623.dll
Size

5.0MB
MD5

3340eec1f90de20b798e5f6c2a7b6434
SHA1

ba6ab639f7ddf21da263ac9c7a48572c31d87d10
SHA256

2c5a1a2aea7f263f2cbb063f45badccd7165b35de48c67247bf8038ff9c2f623
SHA512

541fe3301b13d69bf75c738f95919af2cb52e89911c9b9985403179d0d9efe14f8cdfdad8eacc128f8cb4f014a774726db3ab2de36e7c6b335beba53c532ea0d

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

776 mssecsvc.exe
2164 mssecsvc.exe
1960 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
776	mssecsvc.exe
2164	mssecsvc.exe
1960	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5004 wrote to memory of 4080	5004	rundll32.exe	rundll32.exe
PID 5004 wrote to memory of 4080	5004	rundll32.exe	rundll32.exe
PID 5004 wrote to memory of 4080	5004	rundll32.exe	rundll32.exe
PID 4080 wrote to memory of 776	4080	rundll32.exe	mssecsvc.exe
PID 4080 wrote to memory of 776	4080	rundll32.exe	mssecsvc.exe
PID 4080 wrote to memory of 776	4080	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c5a1a2aea7f263f2cbb063f45badccd7165b35de48c67247bf8038ff9c2f623.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c5a1a2aea7f263f2cbb063f45badccd7165b35de48c67247bf8038ff9c2f623.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4080

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:776

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1960

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
4f8187f7307f33cd25935f5e880ee047

SHA1
984fd9e94a96d476a85ecb69bd08c390f29a3043

SHA256
7a76798a97e062a6dd903570e459fdbb9aa4c24410d6cce8fe0de2e9097df571

SHA512
7bfa53a6e63dc596a71191df784e09dd435bff9063fe8042c162d0c09e5f4f5713e39b9d32329eaf68cf4ed7fe1ba9e7703d3871394df8663a1ac1ebc3572815

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
4f8187f7307f33cd25935f5e880ee047

SHA1
984fd9e94a96d476a85ecb69bd08c390f29a3043

SHA256
7a76798a97e062a6dd903570e459fdbb9aa4c24410d6cce8fe0de2e9097df571

SHA512
7bfa53a6e63dc596a71191df784e09dd435bff9063fe8042c162d0c09e5f4f5713e39b9d32329eaf68cf4ed7fe1ba9e7703d3871394df8663a1ac1ebc3572815

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
4f8187f7307f33cd25935f5e880ee047

SHA1
984fd9e94a96d476a85ecb69bd08c390f29a3043

SHA256
7a76798a97e062a6dd903570e459fdbb9aa4c24410d6cce8fe0de2e9097df571

SHA512
7bfa53a6e63dc596a71191df784e09dd435bff9063fe8042c162d0c09e5f4f5713e39b9d32329eaf68cf4ed7fe1ba9e7703d3871394df8663a1ac1ebc3572815

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b91800f044097d66a2956440ade809e3

SHA1
163381e41d1665d3325f0081b0feb83f399a117f

SHA256
324eaf7b3ecae86cfe0f4c27783e777714512b8b2a017314089bf335ecad7fe9

SHA512
a191ef5d5493949dcf649e22629d748f2059c1a5d95013ec1bbf9ad835e61e4e9d0cd7ad5df6e8e33c417e412256cb796c2576a5935860dcdc67d2dbb91177a4

Download Submit
memory/776-131-0x0000000000000000-mapping.dmp

Download
memory/4080-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing