wannacry | 3523eaea635d4f782c31bddf9faa325b926c7cd6248ba5472c3742c8d136d99c

General

Target

3523eaea635d4f782c31bddf9faa325b926c7cd6248ba5472c3742c8d136d99c.dll
Size

5.0MB
MD5

450f9c7181311b782c0308b98f0aeb49
SHA1

346f9b7b2f91d3d16759d0de5345e54e467d77cf
SHA256

3523eaea635d4f782c31bddf9faa325b926c7cd6248ba5472c3742c8d136d99c
SHA512

4de16f91d36ab4be5df34e5b4cd0331c964e1faa82e1a5f25f69b33a7eb10973f0ffa692b63527fc4d412086354f712a5d64038ef4a94957e76d29270b236a69

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (3246) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4252 mssecsvc.exe
3768 mssecsvc.exe
1988 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4252	mssecsvc.exe
3768	mssecsvc.exe
1988	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1160 wrote to memory of 4496	1160	rundll32.exe	rundll32.exe
PID 1160 wrote to memory of 4496	1160	rundll32.exe	rundll32.exe
PID 1160 wrote to memory of 4496	1160	rundll32.exe	rundll32.exe
PID 4496 wrote to memory of 4252	4496	rundll32.exe	mssecsvc.exe
PID 4496 wrote to memory of 4252	4496	rundll32.exe	mssecsvc.exe
PID 4496 wrote to memory of 4252	4496	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3523eaea635d4f782c31bddf9faa325b926c7cd6248ba5472c3742c8d136d99c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3523eaea635d4f782c31bddf9faa325b926c7cd6248ba5472c3742c8d136d99c.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4496

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4252

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1988

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
0f5f0bd6d2a65a8dc9e7bb4ef4a88bce

SHA1
e89db64e255166ab3dc278497466371b5937d2f4

SHA256
26581e2669cf618ee9f940dd8d6e136d7f0fe1bb79f9d52a86ebdce2b2c7b97f

SHA512
374f090fa41c353384cbafaa36630ba4713891987b766b810806df6ed08283f9f94b5c26c5fc2bef6196d522c107a5126a50a8bb5c7361bae13e350741efdfaa

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0f5f0bd6d2a65a8dc9e7bb4ef4a88bce

SHA1
e89db64e255166ab3dc278497466371b5937d2f4

SHA256
26581e2669cf618ee9f940dd8d6e136d7f0fe1bb79f9d52a86ebdce2b2c7b97f

SHA512
374f090fa41c353384cbafaa36630ba4713891987b766b810806df6ed08283f9f94b5c26c5fc2bef6196d522c107a5126a50a8bb5c7361bae13e350741efdfaa

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0f5f0bd6d2a65a8dc9e7bb4ef4a88bce

SHA1
e89db64e255166ab3dc278497466371b5937d2f4

SHA256
26581e2669cf618ee9f940dd8d6e136d7f0fe1bb79f9d52a86ebdce2b2c7b97f

SHA512
374f090fa41c353384cbafaa36630ba4713891987b766b810806df6ed08283f9f94b5c26c5fc2bef6196d522c107a5126a50a8bb5c7361bae13e350741efdfaa

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
1115646e655f3b67437fc86a3d73053f

SHA1
4797c909a1de48b1f509e4ff996226251232a6ff

SHA256
329a77b46bf97b3fc8f7733605d92ef7f888980172174d3c7230384980add132

SHA512
ca8cd6ab6beb57c1a07ea215d11622011d288b1318ca12a5d08124f163da30833f4e574fdc52e99ca5f8c2b2d040b5f88e9cdca4909d32b9e6739de4b0b1e154

Download Submit
memory/4252-131-0x0000000000000000-mapping.dmp

Download
memory/4496-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing