wannacry | 3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d

General

Target

3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d.dll
Size

5.0MB
MD5

1bb736b97b5bcb4c5b3adf5c3c903fa3
SHA1

10f9c2033d3ff3618ca7253f7b68a09bbd681c4c
SHA256

3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d
SHA512

9036eb430ec907311b90f623aab08a17b27e2238c3a8745e5436837d57f34156ff81efa87abe8770e9a87444c62934f8979d66ef42c2b67c9d02c22f50c02285

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1868 mssecsvc.exe
1404 mssecsvc.exe
2348 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1868	mssecsvc.exe
1404	mssecsvc.exe
2348	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1252 wrote to memory of 4908	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 4908	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 4908	1252	rundll32.exe	rundll32.exe
PID 4908 wrote to memory of 1868	4908	rundll32.exe	mssecsvc.exe
PID 4908 wrote to memory of 1868	4908	rundll32.exe	mssecsvc.exe
PID 4908 wrote to memory of 1868	4908	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4908

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1868

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2348

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
93409fe4337b68f8912ba2e92c23c511

SHA1
2de3c7ada7dfffe146ebb57290c13e69344fcefc

SHA256
2543b22312984298b9436bf5c16e211d11a8ad23872b9fe3ba5ed46c663c3ed7

SHA512
fb3edd00b09178da6d8bfa2159f7d66fd3e3be85e22f22e96c7c8a84c77004dc46e12fc20c9af9bf112acaa4ae37d24385bc5fba01bb44c552dc9669f472ba6b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
93409fe4337b68f8912ba2e92c23c511

SHA1
2de3c7ada7dfffe146ebb57290c13e69344fcefc

SHA256
2543b22312984298b9436bf5c16e211d11a8ad23872b9fe3ba5ed46c663c3ed7

SHA512
fb3edd00b09178da6d8bfa2159f7d66fd3e3be85e22f22e96c7c8a84c77004dc46e12fc20c9af9bf112acaa4ae37d24385bc5fba01bb44c552dc9669f472ba6b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
93409fe4337b68f8912ba2e92c23c511

SHA1
2de3c7ada7dfffe146ebb57290c13e69344fcefc

SHA256
2543b22312984298b9436bf5c16e211d11a8ad23872b9fe3ba5ed46c663c3ed7

SHA512
fb3edd00b09178da6d8bfa2159f7d66fd3e3be85e22f22e96c7c8a84c77004dc46e12fc20c9af9bf112acaa4ae37d24385bc5fba01bb44c552dc9669f472ba6b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
837e206ce11179584ec7ef0a57a511ed

SHA1
e43ed282d8906410bf3b4225b0bfcc1d20fae810

SHA256
a03d52a8c7277c61ef65c1e7960b322be1a94d88de4dc3b6788b551e44ff17e9

SHA512
3f9e02a8e412837b1dd4877d4920bc6029952f0efbc4d54007d617ec5b48dd88ccca6e552b791a1748a68584c2c1c4f7f78bd9fcf64947af788c4f52d25595a7

Download Submit
memory/1868-131-0x0000000000000000-mapping.dmp

Download
memory/4908-130-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing