wannacry | 37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31

General

Target

37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll
Size

5.0MB
MD5

0e6c5008129bb859f0a760e1167f4097
SHA1

f8bea1b72244172d15da1a4ee05d013db287abc4
SHA256

37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31
SHA512

40fa30544386a46297ebeaea229e52fb459135314df7b0119bc3275ee2b6d03aed6a183da343652d335edd168b414c17a34ab807971e4c8ad450e6b0bbb1e4b1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1243) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

956 mssecsvc.exe
1416 mssecsvc.exe
1432 tasksche.exe

pid	process
956	mssecsvc.exe
1416	mssecsvc.exe
1432	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1260 1432 WerFault.exe tasksche.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
1260	1432	WerFault.exe	tasksche.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exetasksche.exe

description	pid	process	target process
PID 912 wrote to memory of 1168	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1168	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1168	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1168	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1168	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1168	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1168	912	rundll32.exe	rundll32.exe
PID 1168 wrote to memory of 956	1168	rundll32.exe	mssecsvc.exe
PID 1168 wrote to memory of 956	1168	rundll32.exe	mssecsvc.exe
PID 1168 wrote to memory of 956	1168	rundll32.exe	mssecsvc.exe
PID 1168 wrote to memory of 956	1168	rundll32.exe	mssecsvc.exe
PID 956 wrote to memory of 1432	956	mssecsvc.exe	tasksche.exe
PID 956 wrote to memory of 1432	956	mssecsvc.exe	tasksche.exe
PID 956 wrote to memory of 1432	956	mssecsvc.exe	tasksche.exe
PID 956 wrote to memory of 1432	956	mssecsvc.exe	tasksche.exe
PID 1432 wrote to memory of 1260	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1260	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1260	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1260	1432	tasksche.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1168

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:956

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 36
5⤵
- Program crash
PID:1260

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
9057900258d9cdd64a479b2d72b0877d

SHA1
7b161c722039f8456f9cd8b31c674b39fd63d589

SHA256
9cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87

SHA512
93d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
9057900258d9cdd64a479b2d72b0877d

SHA1
7b161c722039f8456f9cd8b31c674b39fd63d589

SHA256
9cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87

SHA512
93d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
9057900258d9cdd64a479b2d72b0877d

SHA1
7b161c722039f8456f9cd8b31c674b39fd63d589

SHA256
9cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87

SHA512
93d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f5f27da84f5bdd5410d442e126eb0b51

SHA1
06ec74139d4857c8cf2ff5f943033a022fc2f6fa

SHA256
ce55e8f2041f0dee35769c1b8b70ac077b86df17a0a593cc9dd3cc8c0ffc0b40

SHA512
86d1e2bef7f1e2dd35ad8a646e8ca91644f015c7688c4452434e7359ecc3826d46d70b859d16b3c3755fa58ffaac9c1107d47a4abd527b96592b9c05f278a9fd

Download Submit
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/1168-54-0x0000000000000000-mapping.dmp

Download
memory/1168-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1260-64-0x0000000000000000-mapping.dmp

Download
memory/1432-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing