wannacry | 37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31

General

Target

37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll
Size

5.0MB
MD5

0e6c5008129bb859f0a760e1167f4097
SHA1

f8bea1b72244172d15da1a4ee05d013db287abc4
SHA256

37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31
SHA512

40fa30544386a46297ebeaea229e52fb459135314df7b0119bc3275ee2b6d03aed6a183da343652d335edd168b414c17a34ab807971e4c8ad450e6b0bbb1e4b1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2722) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1532 mssecsvc.exe
5116 mssecsvc.exe
4804 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2208 4804 WerFault.exe tasksche.exe
1536 4804 WerFault.exe tasksche.exe

pid	process
1532	mssecsvc.exe
5116	mssecsvc.exe
4804	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
2208	4804	WerFault.exe	tasksche.exe
1536	4804	WerFault.exe	tasksche.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 3948 wrote to memory of 1016	3948	rundll32.exe	rundll32.exe
PID 3948 wrote to memory of 1016	3948	rundll32.exe	rundll32.exe
PID 3948 wrote to memory of 1016	3948	rundll32.exe	rundll32.exe
PID 1016 wrote to memory of 1532	1016	rundll32.exe	mssecsvc.exe
PID 1016 wrote to memory of 1532	1016	rundll32.exe	mssecsvc.exe
PID 1016 wrote to memory of 1532	1016	rundll32.exe	mssecsvc.exe
PID 1532 wrote to memory of 4804	1532	mssecsvc.exe	tasksche.exe
PID 1532 wrote to memory of 4804	1532	mssecsvc.exe	tasksche.exe
PID 1532 wrote to memory of 4804	1532	mssecsvc.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1016

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1532

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 220
5⤵
- Program crash
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 264
5⤵
- Program crash
PID:1536

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 4804
1⤵
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4804 -ip 4804
1⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
9057900258d9cdd64a479b2d72b0877d

SHA1
7b161c722039f8456f9cd8b31c674b39fd63d589

SHA256
9cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87

SHA512
93d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
3.4MB

MD5
f5f27da84f5bdd5410d442e126eb0b51

SHA1
06ec74139d4857c8cf2ff5f943033a022fc2f6fa

SHA256
ce55e8f2041f0dee35769c1b8b70ac077b86df17a0a593cc9dd3cc8c0ffc0b40

SHA512
86d1e2bef7f1e2dd35ad8a646e8ca91644f015c7688c4452434e7359ecc3826d46d70b859d16b3c3755fa58ffaac9c1107d47a4abd527b96592b9c05f278a9fd

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
9057900258d9cdd64a479b2d72b0877d

SHA1
7b161c722039f8456f9cd8b31c674b39fd63d589

SHA256
9cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87

SHA512
93d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
9057900258d9cdd64a479b2d72b0877d

SHA1
7b161c722039f8456f9cd8b31c674b39fd63d589

SHA256
9cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87

SHA512
93d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f5f27da84f5bdd5410d442e126eb0b51

SHA1
06ec74139d4857c8cf2ff5f943033a022fc2f6fa

SHA256
ce55e8f2041f0dee35769c1b8b70ac077b86df17a0a593cc9dd3cc8c0ffc0b40

SHA512
86d1e2bef7f1e2dd35ad8a646e8ca91644f015c7688c4452434e7359ecc3826d46d70b859d16b3c3755fa58ffaac9c1107d47a4abd527b96592b9c05f278a9fd

Download Submit
memory/1016-130-0x0000000000000000-mapping.dmp

Download
memory/1532-131-0x0000000000000000-mapping.dmp

Download
memory/4804-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing