wannacry | 364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db

General

Target

364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db.dll
Size

5.0MB
MD5

d454cf8158b1432c4c9f508d09f4276f
SHA1

18bec73433069e332cb776c0c72f49b0a6022318
SHA256

364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db
SHA512

7163ef196d4282da8ccc66ccde796b5216cd19dcfe526fd675c35a822035a3d93e49de2583b6656aad39c08fae2d6e60a8b28bb6d15c1d2cbd2e5b499a11837a

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (796) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

908 mssecsvc.exe
1880 mssecsvc.exe
1824 tasksche.exe

pid	process
908	mssecsvc.exe
1880	mssecsvc.exe
1824	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B73BD384-06CC-4A68-A835-440AFF068997}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-78-c3-8d-8b-9c\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B73BD384-06CC-4A68-A835-440AFF068997}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B73BD384-06CC-4A68-A835-440AFF068997}\WpadDecisionTime = 208f05f23b89d801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-78-c3-8d-8b-9c	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-78-c3-8d-8b-9c\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B73BD384-06CC-4A68-A835-440AFF068997}\92-78-c3-8d-8b-9c	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B73BD384-06CC-4A68-A835-440AFF068997}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B73BD384-06CC-4A68-A835-440AFF068997}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-78-c3-8d-8b-9c\WpadDecisionTime = 208f05f23b89d801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 972 wrote to memory of 960	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 960	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 960	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 960	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 960	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 960	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 960	972	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 908	960	rundll32.exe	mssecsvc.exe
PID 960 wrote to memory of 908	960	rundll32.exe	mssecsvc.exe
PID 960 wrote to memory of 908	960	rundll32.exe	mssecsvc.exe
PID 960 wrote to memory of 908	960	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:960

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:908

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1824

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
7af921e9c5df8e3ec4e21d09852f511d

SHA1
a205a510bb5a70058c8084d390f00dfe59adaaf0

SHA256
b6d6ca9c80618d8699e38a426abe35821cee635a8f3c3b61b929ddc45d989062

SHA512
a66eb896d5114d91adf3593f39f4fab6306c455275b0dc9255ae1930e4473e8ad654ceb7680ccc4c5bb92aa3230aa590c7be1831a43f244ea81f912a358c5934

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
7af921e9c5df8e3ec4e21d09852f511d

SHA1
a205a510bb5a70058c8084d390f00dfe59adaaf0

SHA256
b6d6ca9c80618d8699e38a426abe35821cee635a8f3c3b61b929ddc45d989062

SHA512
a66eb896d5114d91adf3593f39f4fab6306c455275b0dc9255ae1930e4473e8ad654ceb7680ccc4c5bb92aa3230aa590c7be1831a43f244ea81f912a358c5934

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
7af921e9c5df8e3ec4e21d09852f511d

SHA1
a205a510bb5a70058c8084d390f00dfe59adaaf0

SHA256
b6d6ca9c80618d8699e38a426abe35821cee635a8f3c3b61b929ddc45d989062

SHA512
a66eb896d5114d91adf3593f39f4fab6306c455275b0dc9255ae1930e4473e8ad654ceb7680ccc4c5bb92aa3230aa590c7be1831a43f244ea81f912a358c5934

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3a0b1030220320531da36737016d6736

SHA1
918af20cebd6fb6b017273e58a2cad2566890641

SHA256
da9a7273f12fc114ffc406b7f1507e8e1f5931662fa843b7719daea653846045

SHA512
ab923f025411895e663394680ca869d299b8eeb6e03c594530ddf42aca6565b0b6caf42fad1446e094a5356c4c8829a9b5a1a07d99223a1898f90750e018d5bf

Download Submit
memory/908-56-0x0000000000000000-mapping.dmp

Download
memory/960-54-0x0000000000000000-mapping.dmp

Download
memory/960-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads