wannacry | 276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c

General

Target

276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c.dll
Size

5.0MB
MD5

cb99dbcc738243976831a1a5af249010
SHA1

11b3de1c41e9d87610011145d0f81eeb5c44a8ca
SHA256

276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c
SHA512

3a24cb1d1fcf846efa62c458eabef31368a5fab5470ba3902e7e377524607a250be5aa0ecd1d46f08cb3754344edb87d4185e9c0cf9a2d0282b40b18effe447e

Score

10^/10

wannacry ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1812 mssecsvc.exe
1364 mssecsvc.exe
872 tasksche.exe

pid	process
1812	mssecsvc.exe
1364	mssecsvc.exe
872	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecisionTime = a0b8b6375381d801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadNetworkName = "Network 2"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\22-c1-b6-ea-72-f2	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecisionTime = a0b8b6375381d801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0099000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1612 wrote to memory of 1304	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1304	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1304	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1304	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1304	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1304	1612	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1304	1612	rundll32.exe	rundll32.exe
PID 1304 wrote to memory of 1812	1304	rundll32.exe	mssecsvc.exe
PID 1304 wrote to memory of 1812	1304	rundll32.exe	mssecsvc.exe
PID 1304 wrote to memory of 1812	1304	rundll32.exe	mssecsvc.exe
PID 1304 wrote to memory of 1812	1304	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1304

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1812

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:872

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
1c2cbf9b0ccb996cd409d5e04f984c8b

SHA1
b917edbc6195f05bd90f018304a5801b4ca24592

SHA256
780a9129e626c4867bc6534ad94aca8f52a904b25f840f3ffdba03258d23cfc2

SHA512
30a91b10aa74ad5a1f293364fce07ba9ac031b5fc5ea3798de02593f1eb9fbf1147a847b2ad0fc7cd59d428cabd3f261b06bd1e8676f137b30b81b75fd87248a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
1c2cbf9b0ccb996cd409d5e04f984c8b

SHA1
b917edbc6195f05bd90f018304a5801b4ca24592

SHA256
780a9129e626c4867bc6534ad94aca8f52a904b25f840f3ffdba03258d23cfc2

SHA512
30a91b10aa74ad5a1f293364fce07ba9ac031b5fc5ea3798de02593f1eb9fbf1147a847b2ad0fc7cd59d428cabd3f261b06bd1e8676f137b30b81b75fd87248a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a3237e084ef19e3276e890d4c407c394

SHA1
50c0a4b38fb2d8f9ca5cbc70a40e8f0f29eb98e6

SHA256
545e161df72ba71155cfb65abbefb621ee54317593cfe5ce586794112185b2da

SHA512
2bfa2262d440c88a2fcd232df61d33cdfc89acde14980bcfaf1c646b1fcad18a44170b1f700604bea9d6940bee33998b27e1cde91385c36df2ef7390bb8792da

Download Submit
memory/1304-54-0x0000000000000000-mapping.dmp

Download
memory/1304-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1812-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads