wannacry | 7d0e5ba752f278eade0152fc94f590d565f3f96737620f4084534de58d4f8187

General

Target

cd59384c604a5f9e447adc1e97e95291.dll
Size

5.0MB
MD5

cd59384c604a5f9e447adc1e97e95291
SHA1

098bfc9ba19f826f33c16697a0af3a8d805e922a
SHA256

7d0e5ba752f278eade0152fc94f590d565f3f96737620f4084534de58d4f8187
SHA512

72fa297ac5b4616edf42349c564cff26cac5efddfdd0a9daa96c2aa70779247e43cccee1797d7856d09a4a8c356868587bc7496fa854d8bb615b2d4ecab4f342

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1254) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1928 mssecsvc.exe
1208 mssecsvc.exe
1920 tasksche.exe

pid	process
1928	mssecsvc.exe
1208	mssecsvc.exe
1920	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecisionTime = 202af939da9bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\4a-be-6e-b9-73-90	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecisionTime = 202af939da9bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 892 wrote to memory of 880	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 880	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 880	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 880	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 880	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 880	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 880	892	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 1928	880	rundll32.exe	mssecsvc.exe
PID 880 wrote to memory of 1928	880	rundll32.exe	mssecsvc.exe
PID 880 wrote to memory of 1928	880	rundll32.exe	mssecsvc.exe
PID 880 wrote to memory of 1928	880	rundll32.exe	mssecsvc.exe
PID 1928 wrote to memory of 1920	1928	mssecsvc.exe	tasksche.exe
PID 1928 wrote to memory of 1920	1928	mssecsvc.exe	tasksche.exe
PID 1928 wrote to memory of 1920	1928	mssecsvc.exe	tasksche.exe
PID 1928 wrote to memory of 1920	1928	mssecsvc.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd59384c604a5f9e447adc1e97e95291.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd59384c604a5f9e447adc1e97e95291.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:880

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1928

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1920

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
747ff3b923618f9c579309bc33fe9f64

SHA1
8a44b79f0042393ffc568ba16968e02f8b20d5cd

SHA256
4651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679

SHA512
5a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
747ff3b923618f9c579309bc33fe9f64

SHA1
8a44b79f0042393ffc568ba16968e02f8b20d5cd

SHA256
4651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679

SHA512
5a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
747ff3b923618f9c579309bc33fe9f64

SHA1
8a44b79f0042393ffc568ba16968e02f8b20d5cd

SHA256
4651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679

SHA512
5a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
c8e7ed224160ab24e4232f5e6fd8bc08

SHA1
8bcbe1b427c7c65810d25d5e1bd6788073ab037d

SHA256
7176e96fab482a3569ae24b2dbdb81720cfc354199923294aafca76d7be28c8b

SHA512
dd063fc9a0ba9b0743eea55f6f040ed350598e0adb3545054727b52ddac6aef02f6dd5fbc395520a0d21da18b85a6b69d353bcb1fe3413f1f67ec18e26d89cb8

Download Submit
memory/880-54-0x0000000000000000-mapping.dmp

Download
memory/880-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1920-62-0x0000000000000000-mapping.dmp

Download
memory/1928-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads