wannacry | 408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac

General

Target

408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac.dll
Size

5.0MB
MD5

0e3e5e700886a192d323c1012c6c1b2b
SHA1

f7f6317e536229c740c82428c1f9bbe0ef557586
SHA256

408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac
SHA512

89b9ee348fe70ce34a74e67365c63c8c4f4bd029e1f3738add65f1e5edb0b9ca4c5ddda56b17c744ce155a046a6653e44184a5fdbf23f2c131e0651d7b8d650f

Score

10^/10

wannacry discovery ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Contacts a large (2511) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

796 mssecsvc.exe
2228 mssecsvc.exe
3164 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
796	mssecsvc.exe
2228	mssecsvc.exe
3164	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1496 wrote to memory of 3468	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 3468	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 3468	1496	rundll32.exe	rundll32.exe
PID 3468 wrote to memory of 796	3468	rundll32.exe	mssecsvc.exe
PID 3468 wrote to memory of 796	3468	rundll32.exe	mssecsvc.exe
PID 3468 wrote to memory of 796	3468	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3468

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:796

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3164

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
b44ead507982e4cf2d61df6f43d749f7

SHA1
2d63f7b5ed64048efd6f52f6ba4a04bc5ffd1aba

SHA256
e2e8d453dd30923f1e9a7be288732a4796164dade8e6f8b23800672380b024a7

SHA512
22f544d85aab1349f80f998e4554c33fa3c97d49afaa1fa67ddb6ec77b1a1ef270deacf1a672dae409df61ee82b873517dec6acadca323c478928a013a81dc41

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
b44ead507982e4cf2d61df6f43d749f7

SHA1
2d63f7b5ed64048efd6f52f6ba4a04bc5ffd1aba

SHA256
e2e8d453dd30923f1e9a7be288732a4796164dade8e6f8b23800672380b024a7

SHA512
22f544d85aab1349f80f998e4554c33fa3c97d49afaa1fa67ddb6ec77b1a1ef270deacf1a672dae409df61ee82b873517dec6acadca323c478928a013a81dc41

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
b44ead507982e4cf2d61df6f43d749f7

SHA1
2d63f7b5ed64048efd6f52f6ba4a04bc5ffd1aba

SHA256
e2e8d453dd30923f1e9a7be288732a4796164dade8e6f8b23800672380b024a7

SHA512
22f544d85aab1349f80f998e4554c33fa3c97d49afaa1fa67ddb6ec77b1a1ef270deacf1a672dae409df61ee82b873517dec6acadca323c478928a013a81dc41

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
1fd3d102d83758e8317df2380821e807

SHA1
3709a9b48aee0d6039b4b3581be33f48d4919b79

SHA256
01b628fa60560c0cb4a332818cb380a65d0616d19976c084e0c3eaa433288b88

SHA512
db0ee5b13e524f2182845aa94b8b1121749e87e48e75e5ba8fa26cae024216913d3a5904fb3544dfeefa49ecf76af5cf1324c410e6366a7197594e8e9e26025f

Download Submit
memory/796-131-0x0000000000000000-mapping.dmp

Download
memory/3468-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing