wannacry | 3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26

General

Target

3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26.dll
Size

5.0MB
MD5

8dadb8fd05dd1734501fc862a7135faa
SHA1

f2f6f467f7006025259fddd66b81386309ab0700
SHA256

3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26
SHA512

992a9806bfe2d715eb0b58dee589acdd7fa44a1a75ce794ef9c617d87443a6de9a5d3bfefacb7b965cbb15a730e254e261d0ac921c1d99143d105b688643783b

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3050) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

5068 mssecsvr.exe
4700 mssecsvr.exe
388 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

pid	process
5068	mssecsvr.exe
4700	mssecsvr.exe
388	tasksche.exe

Drops file in Windows directory 4 IoCs

Processes:

tasksche.exerundll32.exemssecsvr.exe

description	ioc	process
File created	C:\Windows\__tmp_rar_sfx_access_check_240587562	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exe

description	pid	process	target process
PID 5040 wrote to memory of 4948	5040	rundll32.exe	rundll32.exe
PID 5040 wrote to memory of 4948	5040	rundll32.exe	rundll32.exe
PID 5040 wrote to memory of 4948	5040	rundll32.exe	rundll32.exe
PID 4948 wrote to memory of 5068	4948	rundll32.exe	mssecsvr.exe
PID 4948 wrote to memory of 5068	4948	rundll32.exe	mssecsvr.exe
PID 4948 wrote to memory of 5068	4948	rundll32.exe	mssecsvr.exe
PID 5068 wrote to memory of 388	5068	mssecsvr.exe	tasksche.exe
PID 5068 wrote to memory of 388	5068	mssecsvr.exe	tasksche.exe
PID 5068 wrote to memory of 388	5068	mssecsvr.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4948

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5068

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:388

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
58ff294624a691ed4d9b57e73a88a4cc

SHA1
752c79566858a0ca0fb8f5f629aea6ef940647ee

SHA256
2ca3eb47b146740b1cce064724a9fc140c53a3165a38a1025e2ebb4049d7673b

SHA512
21eab38f93459e22fb7ffa210127cfac417650b8c57181f93268f3b42c2667044f4d42ecbc6ad6651b997057a563f7b008c3bf3598a606b973a6ac44c8caa5c9

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
2.0MB

MD5
1b2bd4c884938f2f612ad5bcfc6d8dee

SHA1
4b1aabcabdc588258e2053c0e94c840bfcbb8547

SHA256
e68ce76eebc7677875e9241efe5ab3046d1f71e31a0af34204b6ff71e149884c

SHA512
ba34ac388c277ed99ae3fe482e9fc5be39a1fa7f4048d1556feb31c6841ac211df16daa31a1e6e51d89aae83baf2d90909b806a4aeae45e12d7579a4bfe102e9

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
58ff294624a691ed4d9b57e73a88a4cc

SHA1
752c79566858a0ca0fb8f5f629aea6ef940647ee

SHA256
2ca3eb47b146740b1cce064724a9fc140c53a3165a38a1025e2ebb4049d7673b

SHA512
21eab38f93459e22fb7ffa210127cfac417650b8c57181f93268f3b42c2667044f4d42ecbc6ad6651b997057a563f7b008c3bf3598a606b973a6ac44c8caa5c9

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
58ff294624a691ed4d9b57e73a88a4cc

SHA1
752c79566858a0ca0fb8f5f629aea6ef940647ee

SHA256
2ca3eb47b146740b1cce064724a9fc140c53a3165a38a1025e2ebb4049d7673b

SHA512
21eab38f93459e22fb7ffa210127cfac417650b8c57181f93268f3b42c2667044f4d42ecbc6ad6651b997057a563f7b008c3bf3598a606b973a6ac44c8caa5c9

Download Submit
C:\Windows\tasksche.exe
Filesize
2.0MB

MD5
1b2bd4c884938f2f612ad5bcfc6d8dee

SHA1
4b1aabcabdc588258e2053c0e94c840bfcbb8547

SHA256
e68ce76eebc7677875e9241efe5ab3046d1f71e31a0af34204b6ff71e149884c

SHA512
ba34ac388c277ed99ae3fe482e9fc5be39a1fa7f4048d1556feb31c6841ac211df16daa31a1e6e51d89aae83baf2d90909b806a4aeae45e12d7579a4bfe102e9

Download Submit
memory/388-135-0x0000000000000000-mapping.dmp

Download
memory/4948-130-0x0000000000000000-mapping.dmp

Download
memory/5068-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads