wannacry | 749eaa7de1b56feff6b790d65516822326f56ecff68bb7ce14ce410a4fe24646

General

Target

e01c3d5341904df74c97c4381c59b48d.dll
Size

5.0MB
MD5

e01c3d5341904df74c97c4381c59b48d
SHA1

6f5d96ec6b0c757bf288f7d322a546bac131c465
SHA256

749eaa7de1b56feff6b790d65516822326f56ecff68bb7ce14ce410a4fe24646
SHA512

e5e3ae53fcd67f12def785e51944cb76e41ab3ea0b78baa1e54769abdd6e2d7aa0e42f7a5560291b409c96eed9dbd279393fca106ca170d1633081dc3db7a379

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

1224 mssecsvr.exe
1408 mssecsvr.exe

pid	process
1224	mssecsvr.exe
1408	mssecsvr.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecision = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadNetworkName = "Network 3"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecisionTime = 5058a235c89bd801	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\6a-75-1b-2d-33-8d	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecisionTime = 5058a235c89bd801	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2024 wrote to memory of 572	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 572	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 572	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 572	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 572	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 572	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 572	2024	rundll32.exe	rundll32.exe
PID 572 wrote to memory of 1224	572	rundll32.exe	mssecsvr.exe
PID 572 wrote to memory of 1224	572	rundll32.exe	mssecsvr.exe
PID 572 wrote to memory of 1224	572	rundll32.exe	mssecsvr.exe
PID 572 wrote to memory of 1224	572	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e01c3d5341904df74c97c4381c59b48d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e01c3d5341904df74c97c4381c59b48d.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:572

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1224

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
Filesize
3.6MB

MD5
7b95b65f19ea524a91aa51c5e31b9fe7

SHA1
238dcc422df18fa90787efd69ef2a35de53b8cfb

SHA256
6a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24

SHA512
34e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec

Download Submit
C:\Windows\mssecsvr.exe
Filesize
3.6MB

MD5
7b95b65f19ea524a91aa51c5e31b9fe7

SHA1
238dcc422df18fa90787efd69ef2a35de53b8cfb

SHA256
6a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24

SHA512
34e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec

Download Submit
C:\Windows\mssecsvr.exe
Filesize
3.6MB

MD5
7b95b65f19ea524a91aa51c5e31b9fe7

SHA1
238dcc422df18fa90787efd69ef2a35de53b8cfb

SHA256
6a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24

SHA512
34e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec

Download Submit
memory/572-54-0x0000000000000000-mapping.dmp

Download
memory/572-55-0x0000000074E11000-0x0000000074E13000-memory.dmp

Filesize
8KB

Download
memory/1224-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads