wannacry | 2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b

General

Target

2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b.dll
Size

5.0MB
MD5

3695f6d3175e85e25ea3cc65ab3801cf
SHA1

a51d6b609237e90287fc6fafb0e2391893785112
SHA256

2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b
SHA512

816a004d5bed585351ae4f115d5746623999608565f761e998b56f305e646e69e847e1c15027cb3cd8fe106b95f4d2c3f0dc97ebbd9d49180849b3801173a75a

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1388 mssecsvc.exe
1144 mssecsvc.exe
2040 tasksche.exe

pid	process
1388	mssecsvc.exe
1144	mssecsvc.exe
2040	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1824 wrote to memory of 1008	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1008	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1008	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1008	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1008	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1008	1824	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1008	1824	rundll32.exe	rundll32.exe
PID 1008 wrote to memory of 1388	1008	rundll32.exe	mssecsvc.exe
PID 1008 wrote to memory of 1388	1008	rundll32.exe	mssecsvc.exe
PID 1008 wrote to memory of 1388	1008	rundll32.exe	mssecsvc.exe
PID 1008 wrote to memory of 1388	1008	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1008

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1388

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2040

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
d6da95961610cc1c42d670410387b12a

SHA1
d77fbdbbb81b7fefd2087f8791fbe0942ef6b673

SHA256
2cf96ddb068e5e198d85709f8bc75faf51167827ea11f8a4cb728836cbc467fd

SHA512
d5ac32397462214b1ae083ceb8f6e7afa5fa6223f09d8ce347c315e45411de19e329fc513d82ec47c2cafb2e0d181b47448d5619673dec48abcda0800f9d5a0a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d6da95961610cc1c42d670410387b12a

SHA1
d77fbdbbb81b7fefd2087f8791fbe0942ef6b673

SHA256
2cf96ddb068e5e198d85709f8bc75faf51167827ea11f8a4cb728836cbc467fd

SHA512
d5ac32397462214b1ae083ceb8f6e7afa5fa6223f09d8ce347c315e45411de19e329fc513d82ec47c2cafb2e0d181b47448d5619673dec48abcda0800f9d5a0a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d6da95961610cc1c42d670410387b12a

SHA1
d77fbdbbb81b7fefd2087f8791fbe0942ef6b673

SHA256
2cf96ddb068e5e198d85709f8bc75faf51167827ea11f8a4cb728836cbc467fd

SHA512
d5ac32397462214b1ae083ceb8f6e7afa5fa6223f09d8ce347c315e45411de19e329fc513d82ec47c2cafb2e0d181b47448d5619673dec48abcda0800f9d5a0a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
4560ce126cc34e33839f4bafbeb801b0

SHA1
ad3d81e70e7206fa255c12cbd3f863dfb72fb12c

SHA256
5facb4bca8b6a43fcf064b33c80c8727633fdc2532b2e66402b5cd954109cde0

SHA512
1aa20fe3e776def514c3b6035ff17e19373d07f0f4d8a39144484b31a8ba6368357d9db07b99e544ed27f7ee4856fd4fe50fea7f5aa7e85e408da7645f036d03

Download Submit
memory/1008-54-0x0000000000000000-mapping.dmp

Download
memory/1008-55-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/1388-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing