wannacry | 42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c

General

Target

42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll
Size

5.0MB
MD5

3ce4cffc202ddafe9e2b2c8f570f4e16
SHA1

f331a320d11d62823847ed76228e2e706df6aa2c
SHA256

42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c
SHA512

24484046e1075e475d58aff29dbe62471bd62925d91209a961fee74007a869c4e5bd4484d38984f65bcff3b7a65adccb711a206a3b25ccd45b894c3065cb4e95

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (2070) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2260 mssecsvc.exe
1480 mssecsvc.exe
3672 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2260	mssecsvc.exe
1480	mssecsvc.exe
3672	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4052 wrote to memory of 4072	4052	rundll32.exe	rundll32.exe
PID 4052 wrote to memory of 4072	4052	rundll32.exe	rundll32.exe
PID 4052 wrote to memory of 4072	4052	rundll32.exe	rundll32.exe
PID 4072 wrote to memory of 2260	4072	rundll32.exe	mssecsvc.exe
PID 4072 wrote to memory of 2260	4072	rundll32.exe	mssecsvc.exe
PID 4072 wrote to memory of 2260	4072	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4072

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3672

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
31def06abbda1f1bb66478c529472968

SHA1
415434f6d7cf11afa36380a7c4b9d810b8106ed7

SHA256
61ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515

SHA512
217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
31def06abbda1f1bb66478c529472968

SHA1
415434f6d7cf11afa36380a7c4b9d810b8106ed7

SHA256
61ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515

SHA512
217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
31def06abbda1f1bb66478c529472968

SHA1
415434f6d7cf11afa36380a7c4b9d810b8106ed7

SHA256
61ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515

SHA512
217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f2fc595e0263ee99769ec3805bb7768e

SHA1
21c3b65c906ff24a4759271537b8da01516d841d

SHA256
85117a97158c171ef7de01771ffdc172df4c09689fa1d579513d27a4a861351f

SHA512
512a12f68ae5c7e61961c38d6cfb33e2e796ef0afe29170c67764830d7200ae5fb675d83df96dfde1a28994331d81cb7b4b56f8f58fc923c0fc73168a03cf99c

Download Submit
memory/2260-131-0x0000000000000000-mapping.dmp

Download
memory/4072-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing