wannacry | 3214a6bc1516237a1dd43a7362e4c5d8a48528aeadd8151eae8e9030fd98f273

General

Target

3214a6bc1516237a1dd43a7362e4c5d8a48528aeadd8151eae8e9030fd98f273.dll
Size

5.0MB
MD5

c6f93103b29652dbe18510ea58016058
SHA1

99f707cdd51c938b85b43413d982325919f18cd1
SHA256

3214a6bc1516237a1dd43a7362e4c5d8a48528aeadd8151eae8e9030fd98f273
SHA512

4a243ef4bf2ae2b01030c00f576c4c83a378f280e03f356c7298d5eaa41720722616da5dd7e4466b572158e658a01b92e09ff245b9c218949945e061bb40980d

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (821) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

952 mssecsvc.exe
1204 mssecsvc.exe
1780 tasksche.exe

pid	process
952	mssecsvc.exe
1204	mssecsvc.exe
1780	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0098000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECF95D5E-4407-424C-86E7-F4723D19804D}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECF95D5E-4407-424C-86E7-F4723D19804D}\f6-75-01-24-bf-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-75-01-24-bf-77\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-75-01-24-bf-77\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-75-01-24-bf-77\WpadDecisionTime = 10329d7ed484d801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECF95D5E-4407-424C-86E7-F4723D19804D}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-75-01-24-bf-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECF95D5E-4407-424C-86E7-F4723D19804D}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECF95D5E-4407-424C-86E7-F4723D19804D}\WpadDecisionTime = 10329d7ed484d801	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECF95D5E-4407-424C-86E7-F4723D19804D}\WpadNetworkName = "Network 2"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 904 wrote to memory of 1688	904	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1688	904	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1688	904	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1688	904	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1688	904	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1688	904	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1688	904	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 952	1688	rundll32.exe	mssecsvc.exe
PID 1688 wrote to memory of 952	1688	rundll32.exe	mssecsvc.exe
PID 1688 wrote to memory of 952	1688	rundll32.exe	mssecsvc.exe
PID 1688 wrote to memory of 952	1688	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3214a6bc1516237a1dd43a7362e4c5d8a48528aeadd8151eae8e9030fd98f273.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3214a6bc1516237a1dd43a7362e4c5d8a48528aeadd8151eae8e9030fd98f273.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:952
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1780

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
8bcc3517b17394c04e305a5a31fbb5d6

SHA1
8e789cf5b8d483691554d6315212b00fb0f2727f

SHA256
c5d66f91b1b6b9ff6be7ca61ed7989b02d753b182959878db5b5dac064444b4d

SHA512
5137ca1fb369ea7de967307f9038d098562b257f2f3a46fda69e0d8312253b5b61ef2848dae389ea59a9f75a56acab42956b82916690ba1d3f0ce10e3c7e77c9

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
8bcc3517b17394c04e305a5a31fbb5d6

SHA1
8e789cf5b8d483691554d6315212b00fb0f2727f

SHA256
c5d66f91b1b6b9ff6be7ca61ed7989b02d753b182959878db5b5dac064444b4d

SHA512
5137ca1fb369ea7de967307f9038d098562b257f2f3a46fda69e0d8312253b5b61ef2848dae389ea59a9f75a56acab42956b82916690ba1d3f0ce10e3c7e77c9

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
8bcc3517b17394c04e305a5a31fbb5d6

SHA1
8e789cf5b8d483691554d6315212b00fb0f2727f

SHA256
c5d66f91b1b6b9ff6be7ca61ed7989b02d753b182959878db5b5dac064444b4d

SHA512
5137ca1fb369ea7de967307f9038d098562b257f2f3a46fda69e0d8312253b5b61ef2848dae389ea59a9f75a56acab42956b82916690ba1d3f0ce10e3c7e77c9

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f22c104bdced739dd330228c7818f972

SHA1
c79950f1e331f6d005e469843a6927e8d1bf641f

SHA256
0e4d85f35083e1dac36ed2533d945f4c1b81455241ac5b319680613d833e8b95

SHA512
87312affbfd18d35652f136480ff73cdc7e6933af46bcd2116603776fdc7ac57d38585459530d317d5ca2b2ae560e57ec426b70de9cfadc48625962d9aa022f0

Download Submit
memory/952-56-0x0000000000000000-mapping.dmp

Download
memory/1688-54-0x0000000000000000-mapping.dmp

Download
memory/1688-55-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads