wannacry | 314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b

General

Target

314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b.dll
Size

5.0MB
MD5

b3fcc20dffa1033a5e3ce437f38f6e02
SHA1

fb0a472b6a360834e603385283d1780d1eda050a
SHA256

314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b
SHA512

8979a5a95ec1aa841c9cafbc75990c3a6b426fad4fd1a348d3ce793d733911d76216c7b3ae8645a197439b2af69b596718f5c6c9f7edeb70268157400809d178

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (3196) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3476 mssecsvc.exe
3488 mssecsvc.exe
4164 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3476	mssecsvc.exe
3488	mssecsvc.exe
4164	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3328 wrote to memory of 2356	3328	rundll32.exe	rundll32.exe
PID 3328 wrote to memory of 2356	3328	rundll32.exe	rundll32.exe
PID 3328 wrote to memory of 2356	3328	rundll32.exe	rundll32.exe
PID 2356 wrote to memory of 3476	2356	rundll32.exe	mssecsvc.exe
PID 2356 wrote to memory of 3476	2356	rundll32.exe	mssecsvc.exe
PID 2356 wrote to memory of 3476	2356	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2356

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3476

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4164

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
5013eb6be94875fd22a074d43510ba82

SHA1
d407ac35c1c5214dc88678e296f0c694b18dfe44

SHA256
dec59866237b33c7ea5c17650039e46a93154d9317ba7c2595aab91fd669d599

SHA512
2b5b9687d336fe2c1f8a2dbf05efb0cd82f7592f2b35755166d8a6fc18c67d53562bb3076e1e738a7dd2cb1e86514ac520a576b3dc69ee1040e83a51d4129a72

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5013eb6be94875fd22a074d43510ba82

SHA1
d407ac35c1c5214dc88678e296f0c694b18dfe44

SHA256
dec59866237b33c7ea5c17650039e46a93154d9317ba7c2595aab91fd669d599

SHA512
2b5b9687d336fe2c1f8a2dbf05efb0cd82f7592f2b35755166d8a6fc18c67d53562bb3076e1e738a7dd2cb1e86514ac520a576b3dc69ee1040e83a51d4129a72

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5013eb6be94875fd22a074d43510ba82

SHA1
d407ac35c1c5214dc88678e296f0c694b18dfe44

SHA256
dec59866237b33c7ea5c17650039e46a93154d9317ba7c2595aab91fd669d599

SHA512
2b5b9687d336fe2c1f8a2dbf05efb0cd82f7592f2b35755166d8a6fc18c67d53562bb3076e1e738a7dd2cb1e86514ac520a576b3dc69ee1040e83a51d4129a72

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
2341baf2d382f79649dc02af908acb2f

SHA1
73fdc67cd89ffe287ff611360962d3d0999d606a

SHA256
7876ffa07f870db351c73b17a1c22860ddd483475b6275d8bbb088a96c9941d6

SHA512
daecadbb9ac860a88a13af699f6369e036019560d290e986b1c9905e6bc2c8877d5616b4345cde435c18d27ba52fedffd69bf344cf8bc1bc33b56e133a66e8d6

Download Submit
memory/2356-130-0x0000000000000000-mapping.dmp

Download
memory/3476-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing