wannacry | 59eee303cf6cbf5bc6019b07f3e49714cbcc8f98639b36d55a9e0289de456c91

General

Target

baaf9b2f0ea5f26f4c4d8021216ca936.dll
Size

5.0MB
MD5

baaf9b2f0ea5f26f4c4d8021216ca936
SHA1

aeb5c2bfcd95fe5b63e8709bfcac6f1270f3abc2
SHA256

59eee303cf6cbf5bc6019b07f3e49714cbcc8f98639b36d55a9e0289de456c91
SHA512

44846385fd7df191ff39d817f51155db3b3bfdca022e6638751dba9463fcfbe749147fac12b72db55b39b8a7199715e544164710fd5049b98ea74d104e8c32fa

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1152 mssecsvc.exe
1812 mssecsvc.exe
580 tasksche.exe

pid	process
1152	mssecsvc.exe
1812	mssecsvc.exe
580	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecisionTime = 80a32562d99bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\a2-7a-30-fb-3f-0e	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecisionTime = 80a32562d99bd801	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 688 wrote to memory of 1784	688	rundll32.exe	rundll32.exe
PID 688 wrote to memory of 1784	688	rundll32.exe	rundll32.exe
PID 688 wrote to memory of 1784	688	rundll32.exe	rundll32.exe
PID 688 wrote to memory of 1784	688	rundll32.exe	rundll32.exe
PID 688 wrote to memory of 1784	688	rundll32.exe	rundll32.exe
PID 688 wrote to memory of 1784	688	rundll32.exe	rundll32.exe
PID 688 wrote to memory of 1784	688	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 1152	1784	rundll32.exe	mssecsvc.exe
PID 1784 wrote to memory of 1152	1784	rundll32.exe	mssecsvc.exe
PID 1784 wrote to memory of 1152	1784	rundll32.exe	mssecsvc.exe
PID 1784 wrote to memory of 1152	1784	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\baaf9b2f0ea5f26f4c4d8021216ca936.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\baaf9b2f0ea5f26f4c4d8021216ca936.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1784

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1152

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:580

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
6ebbe1b87c4ff3ed8c431a8597f0ce0b

SHA1
05e3ccb742c5f01a30fc703b12497cd17f346032

SHA256
7814ae9dc6b4433524337c3cd1e5d44ad5cb1f2a4da166e93895eb7120ede696

SHA512
725bb9e049b849a3df7318449ddb9f654d8844e5828b6686a4aa55877988fdac3374bf966b335e6152dcd628e6d3537ded2f9d1361dbf9de8590b02cb2869083

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
6ebbe1b87c4ff3ed8c431a8597f0ce0b

SHA1
05e3ccb742c5f01a30fc703b12497cd17f346032

SHA256
7814ae9dc6b4433524337c3cd1e5d44ad5cb1f2a4da166e93895eb7120ede696

SHA512
725bb9e049b849a3df7318449ddb9f654d8844e5828b6686a4aa55877988fdac3374bf966b335e6152dcd628e6d3537ded2f9d1361dbf9de8590b02cb2869083

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
6ebbe1b87c4ff3ed8c431a8597f0ce0b

SHA1
05e3ccb742c5f01a30fc703b12497cd17f346032

SHA256
7814ae9dc6b4433524337c3cd1e5d44ad5cb1f2a4da166e93895eb7120ede696

SHA512
725bb9e049b849a3df7318449ddb9f654d8844e5828b6686a4aa55877988fdac3374bf966b335e6152dcd628e6d3537ded2f9d1361dbf9de8590b02cb2869083

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f77962a587f11843491c9802bcbfc040

SHA1
7c21e00421c51c4060bb160a1efa57e3a10abc4f

SHA256
e426116f7da1f6021e2475bfcab94073862fb1a1289826cd69e7a9a605934e6f

SHA512
95b8f99117fc7fe9ad94cf6f6b39774a59bd9999eb82f1779ac62f46f28d725502ec3935e5dcec5119c465e81861e86478dc70e9baeec7b61ea549568a10d197

Download Submit
memory/1152-56-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x0000000000000000-mapping.dmp

Download
memory/1784-55-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads