wannacry | 287e5812b0c53fe94fc90a3f31b97fbee3d7b9f8fa5b7f38bd59c3d8014ef006

Analysis

Target

mssecsvc.exe
Size

3.6MB
MD5

e8089341ee0442a2ecf82e4b70829143
SHA1

cec9a0b3c2914b49bf0b5dbbd3b1907cb8a6b578
SHA256

55bc52ead4c668b4dad978bebd80821a68eccd36b3927072a5d113cd5d79a27a
SHA512

738f731a3e118245c092a99e6822bb6e3f2294bcf4ec28ff4bbf43a98a0567d8d8d7b9ffff1bb5f7a9162335427c2e682a5ad48c9f9413818cd3baf81c6f0862

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (3320) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1580 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 1 IoCs

Processes:

mssecsvc.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1580	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe
"C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe"
1⤵
- Drops file in Windows directory
PID:2900

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe
C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:3932

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7bffd6dfd8e5c5fe55577df5d87559e5

SHA1
3536b3d1fa74db8619e305ff4bc772ea82d53c0f

SHA256
c5d0817617551bf5bae966e0c95ad66a1f536633b44b0eeb09ae3ee33ac67980

SHA512
af153f93af0a80b2ab351eced1063d164f9c43ad5f604ddae41b738a03bf1e12b723c312905165725894b9e1d4d38841b48123d995371eaab33fd9574047e77e

Download Submit