wannacry | 28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe

General

Target

28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe.dll
Size

5.0MB
MD5

944fee9b45c08401b1eec8dc1cc06d0c
SHA1

1cc8b3a27c4f083ebd4787e3fbb8ea3c90d5fb00
SHA256

28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe
SHA512

c31a988b8f74d1ef554329451b45961c698e767f7f6796e1cd9ccb74c420411f9023e5b842cdd272f5da4ce0a7eacdbb1ac97a51cb681e3925a86e9f4d0111d7

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (3283) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

716 mssecsvc.exe
4432 mssecsvc.exe
3360 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
716	mssecsvc.exe
4432	mssecsvc.exe
3360	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5032 wrote to memory of 1136	5032	rundll32.exe	rundll32.exe
PID 5032 wrote to memory of 1136	5032	rundll32.exe	rundll32.exe
PID 5032 wrote to memory of 1136	5032	rundll32.exe	rundll32.exe
PID 1136 wrote to memory of 716	1136	rundll32.exe	mssecsvc.exe
PID 1136 wrote to memory of 716	1136	rundll32.exe	mssecsvc.exe
PID 1136 wrote to memory of 716	1136	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1136

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:716

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3360

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
491a5e67c6ebfe3a20c7d63a490c1574

SHA1
0807884126c2d7e7c51e10c2121ecb3e8d6c2e45

SHA256
fd48df24ee4c54357bcc70ff5c1b46a32b60e1c1a2456d6c22c62558454329b8

SHA512
7a80f2ac87d094b43596f539de9f0884a465db6c49e7d31b810f82106c0d5a479a79b9356e9e17744b70c39e7d438cf0e787f680a641653ca24ab93d679d4298

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
491a5e67c6ebfe3a20c7d63a490c1574

SHA1
0807884126c2d7e7c51e10c2121ecb3e8d6c2e45

SHA256
fd48df24ee4c54357bcc70ff5c1b46a32b60e1c1a2456d6c22c62558454329b8

SHA512
7a80f2ac87d094b43596f539de9f0884a465db6c49e7d31b810f82106c0d5a479a79b9356e9e17744b70c39e7d438cf0e787f680a641653ca24ab93d679d4298

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
491a5e67c6ebfe3a20c7d63a490c1574

SHA1
0807884126c2d7e7c51e10c2121ecb3e8d6c2e45

SHA256
fd48df24ee4c54357bcc70ff5c1b46a32b60e1c1a2456d6c22c62558454329b8

SHA512
7a80f2ac87d094b43596f539de9f0884a465db6c49e7d31b810f82106c0d5a479a79b9356e9e17744b70c39e7d438cf0e787f680a641653ca24ab93d679d4298

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a17cf69bff08691c887dead938d41490

SHA1
a1d549fdacc6d264543a40d5020a9944f7fc193a

SHA256
6677f606aae04cfbf25f6a10700f7bd334df03299b2153d040ea119010c56057

SHA512
07c1e2be038efbdf6bd757c45de44a7ed7985875f69317390a7040e5678799fbc0ca8985a034d4f48c156c81e4368cd8f0b0e84513fdfd43e1c7b9c0012a70d6

Download Submit
memory/716-131-0x0000000000000000-mapping.dmp

Download
memory/1136-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing