wannacry | 48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281

General

Target

48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll
Size

5.0MB
MD5

1ced543091b9dc5fd59237f675d6dd90
SHA1

d464770ef157cef154d181573c81bd3cba357127
SHA256

48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281
SHA512

cc279ee918c59f0f12ab51b2a88ac2ee801be6adbacce368bc84b6b6dba781c0c0fa6d389a2cc420503ead178efb1336c2bcb40052049664a1c8486d807029d2

Score

10^/10

wannacry ransomware suricata worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3592 mssecsvc.exe
4928 mssecsvc.exe
4480 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3592	mssecsvc.exe
4928	mssecsvc.exe
4480	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3320 wrote to memory of 64	3320	rundll32.exe	rundll32.exe
PID 3320 wrote to memory of 64	3320	rundll32.exe	rundll32.exe
PID 3320 wrote to memory of 64	3320	rundll32.exe	rundll32.exe
PID 64 wrote to memory of 3592	64	rundll32.exe	mssecsvc.exe
PID 64 wrote to memory of 3592	64	rundll32.exe	mssecsvc.exe
PID 64 wrote to memory of 3592	64	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:64

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3592

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4480

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
36e81fd6c5ea829ac56dd19c68b7ca0c

SHA1
94ec59960e278c1c34826a73a2244277721be3d3

SHA256
9cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0

SHA512
b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
36e81fd6c5ea829ac56dd19c68b7ca0c

SHA1
94ec59960e278c1c34826a73a2244277721be3d3

SHA256
9cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0

SHA512
b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
36e81fd6c5ea829ac56dd19c68b7ca0c

SHA1
94ec59960e278c1c34826a73a2244277721be3d3

SHA256
9cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0

SHA512
b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b0e9218be520b2f8391ab5c575bf98d0

SHA1
5909e58b6768cc219990f0ebe10782606656fb5f

SHA256
0fb71a0d4f29cdaff0192e3c4c2cc5df9f0af23b205f3c911a482a06d8de3c68

SHA512
4b5da5cc9f1162c373aad51473e20f062eabfc67077ed83ce02f65556932547c7a2614704b0c1069cd770831f746e5c8249ab52a8ef98bf722f18cd5313e8012

Download Submit
memory/64-130-0x0000000000000000-mapping.dmp

Download
memory/3592-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads