wannacry | 3306137b572036b9253e044ca7d2c922f03b2835b8c94d28d9d87c3d676d9060

General

Target

3306137b572036b9253e044ca7d2c922f03b2835b8c94d28d9d87c3d676d9060.dll
Size

5.0MB
MD5

9274127ad34be955589aec0d24f20656
SHA1

4240e7fa37b2eb26144ac633a323ee6f5d92f76a
SHA256

3306137b572036b9253e044ca7d2c922f03b2835b8c94d28d9d87c3d676d9060
SHA512

032f8568aa686317df1966ba4ef2cf267caf5823ccfd159996ea0613d61db04b72e7197d0ed51e58aa5e8033c05a08ac5237e2ee5a8fe875e4c22843f6a0aa33

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1070) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

948 mssecsvc.exe
1992 mssecsvc.exe
1888 tasksche.exe

pid	process
948	mssecsvc.exe
1992	mssecsvc.exe
1888	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 304 wrote to memory of 1640	304	rundll32.exe	rundll32.exe
PID 304 wrote to memory of 1640	304	rundll32.exe	rundll32.exe
PID 304 wrote to memory of 1640	304	rundll32.exe	rundll32.exe
PID 304 wrote to memory of 1640	304	rundll32.exe	rundll32.exe
PID 304 wrote to memory of 1640	304	rundll32.exe	rundll32.exe
PID 304 wrote to memory of 1640	304	rundll32.exe	rundll32.exe
PID 304 wrote to memory of 1640	304	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 948	1640	rundll32.exe	mssecsvc.exe
PID 1640 wrote to memory of 948	1640	rundll32.exe	mssecsvc.exe
PID 1640 wrote to memory of 948	1640	rundll32.exe	mssecsvc.exe
PID 1640 wrote to memory of 948	1640	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3306137b572036b9253e044ca7d2c922f03b2835b8c94d28d9d87c3d676d9060.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3306137b572036b9253e044ca7d2c922f03b2835b8c94d28d9d87c3d676d9060.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:948
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1888

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
10366c1679f89337960f7d56b8248449

SHA1
53358b0d461ff05303e494dfc967a84037176959

SHA256
4891e9a9ddf83530f8ea968620e611156191085867d35598358a067327892e68

SHA512
fb35e73cf564439f61ef23de1b95b9a4f6a9242c97f2a6fbc2add86e5d9930bf3195f21bd890c0a686cddb6c21d94101648a6b7acba2fa35f9e26de9dcb16703

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
10366c1679f89337960f7d56b8248449

SHA1
53358b0d461ff05303e494dfc967a84037176959

SHA256
4891e9a9ddf83530f8ea968620e611156191085867d35598358a067327892e68

SHA512
fb35e73cf564439f61ef23de1b95b9a4f6a9242c97f2a6fbc2add86e5d9930bf3195f21bd890c0a686cddb6c21d94101648a6b7acba2fa35f9e26de9dcb16703

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
10366c1679f89337960f7d56b8248449

SHA1
53358b0d461ff05303e494dfc967a84037176959

SHA256
4891e9a9ddf83530f8ea968620e611156191085867d35598358a067327892e68

SHA512
fb35e73cf564439f61ef23de1b95b9a4f6a9242c97f2a6fbc2add86e5d9930bf3195f21bd890c0a686cddb6c21d94101648a6b7acba2fa35f9e26de9dcb16703

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
0725c9559bbee5e80732b792b0458430

SHA1
080d4968d62fe78fdd777e6daea99ae3ebd03fe8

SHA256
e18b91596cf5297ecc48115c5f9703e9d73e1e5eda9e5f88a7a924472bf37689

SHA512
91a33a43bcf3e358588e0c5a817b41c39c593c855f24f7d3dcfb4c2aa1c3dceb1b937615e6d4363645f7c2bbd18323d4431b2aec6b7c0f441c9080a0694679b1

Download Submit
memory/948-56-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing