wannacry | 32e43652533f32ad08ba96a0a896c05ce865c01880641ff21008a61169a50038

General

Target

32e43652533f32ad08ba96a0a896c05ce865c01880641ff21008a61169a50038.dll
Size

5.0MB
MD5

64c3e9f584a0b0fdfaf114c3c78273d9
SHA1

df7a6be71e6eba5d703bb1f226feb4012b2bf432
SHA256

32e43652533f32ad08ba96a0a896c05ce865c01880641ff21008a61169a50038
SHA512

f899df01222018f14e7575954c271d4c7120d11b23e2314d59ec5ae9793c60634a66309777449fc084f3d8d5586790f659a509fcedf4a503391527789fed0576

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1262) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

2032 mssecsvr.exe
936 mssecsvr.exe
1752 tasksche.exe

pid	process
2032	mssecsvr.exe
936	mssecsvr.exe
1752	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 4 IoCs

Processes:

mssecsvr.exetasksche.exerundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_7101259	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-54-da-38-6d-62	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-54-da-38-6d-62\WpadDecisionTime = 506ce44e7084d801	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-54-da-38-6d-62\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{79CDD3F5-1EF6-4429-A7FA-510B0F5C5F29}	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{79CDD3F5-1EF6-4429-A7FA-510B0F5C5F29}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{79CDD3F5-1EF6-4429-A7FA-510B0F5C5F29}\WpadNetworkName = "Network 3"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{79CDD3F5-1EF6-4429-A7FA-510B0F5C5F29}\ca-54-da-38-6d-62	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{79CDD3F5-1EF6-4429-A7FA-510B0F5C5F29}\WpadDecisionTime = 506ce44e7084d801	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{79CDD3F5-1EF6-4429-A7FA-510B0F5C5F29}\WpadDecision = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-54-da-38-6d-62\WpadDecisionReason = "1"	mssecsvr.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exe

description	pid	process	target process
PID 1664 wrote to memory of 1888	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1888	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1888	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1888	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1888	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1888	1664	rundll32.exe	rundll32.exe
PID 1664 wrote to memory of 1888	1664	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 2032	1888	rundll32.exe	mssecsvr.exe
PID 1888 wrote to memory of 2032	1888	rundll32.exe	mssecsvr.exe
PID 1888 wrote to memory of 2032	1888	rundll32.exe	mssecsvr.exe
PID 1888 wrote to memory of 2032	1888	rundll32.exe	mssecsvr.exe
PID 2032 wrote to memory of 1752	2032	mssecsvr.exe	tasksche.exe
PID 2032 wrote to memory of 1752	2032	mssecsvr.exe	tasksche.exe
PID 2032 wrote to memory of 1752	2032	mssecsvr.exe	tasksche.exe
PID 2032 wrote to memory of 1752	2032	mssecsvr.exe	tasksche.exe
PID 2032 wrote to memory of 1752	2032	mssecsvr.exe	tasksche.exe
PID 2032 wrote to memory of 1752	2032	mssecsvr.exe	tasksche.exe
PID 2032 wrote to memory of 1752	2032	mssecsvr.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32e43652533f32ad08ba96a0a896c05ce865c01880641ff21008a61169a50038.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32e43652533f32ad08ba96a0a896c05ce865c01880641ff21008a61169a50038.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1888

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1752

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
582a6a9581116c1b670aa804ef41d1d8

SHA1
46bd1026ac63d9b22d6dd8935f23cb2eb8057ed2

SHA256
c1500978e57d8b886e4bd0782b8679045bef80537ca993fc76ce81103c7f0beb

SHA512
600f4ef787e9497e34d5e42e82815c8efaec0ba37872246dd66edcefd3a02dad8206b0e91f27ac73be9d7e44512c8f10db042fc34012828fd35884f2e4227807

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
2.0MB

MD5
d7421e05d407fc58d2b5524c8ca6d566

SHA1
ef787a0c924ce046e5b0e0ae918b8f7c9afcf76f

SHA256
1f834385decc777c41a193e77be01215495bccd0c9ce4f6c08f9a60824021da3

SHA512
84a78f6826c50bb1357d1fdfe2cf09a8c8772404d0483c21572313f5bd3c16466c038667231ee2fc21ae19bb31651249d0e073a4e87eb64b026dd033e1f6c158

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
582a6a9581116c1b670aa804ef41d1d8

SHA1
46bd1026ac63d9b22d6dd8935f23cb2eb8057ed2

SHA256
c1500978e57d8b886e4bd0782b8679045bef80537ca993fc76ce81103c7f0beb

SHA512
600f4ef787e9497e34d5e42e82815c8efaec0ba37872246dd66edcefd3a02dad8206b0e91f27ac73be9d7e44512c8f10db042fc34012828fd35884f2e4227807

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
582a6a9581116c1b670aa804ef41d1d8

SHA1
46bd1026ac63d9b22d6dd8935f23cb2eb8057ed2

SHA256
c1500978e57d8b886e4bd0782b8679045bef80537ca993fc76ce81103c7f0beb

SHA512
600f4ef787e9497e34d5e42e82815c8efaec0ba37872246dd66edcefd3a02dad8206b0e91f27ac73be9d7e44512c8f10db042fc34012828fd35884f2e4227807

Download Submit
C:\Windows\tasksche.exe
Filesize
2.0MB

MD5
d7421e05d407fc58d2b5524c8ca6d566

SHA1
ef787a0c924ce046e5b0e0ae918b8f7c9afcf76f

SHA256
1f834385decc777c41a193e77be01215495bccd0c9ce4f6c08f9a60824021da3

SHA512
84a78f6826c50bb1357d1fdfe2cf09a8c8772404d0483c21572313f5bd3c16466c038667231ee2fc21ae19bb31651249d0e073a4e87eb64b026dd033e1f6c158

Download Submit
memory/1752-62-0x0000000000000000-mapping.dmp

Download
memory/1888-54-0x0000000000000000-mapping.dmp

Download
memory/1888-55-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads