wannacry | 7d0e5ba752f278eade0152fc94f590d565f3f96737620f4084534de58d4f8187

General

Target

cd59384c604a5f9e447adc1e97e95291.dll
Size

5.0MB
MD5

cd59384c604a5f9e447adc1e97e95291
SHA1

098bfc9ba19f826f33c16697a0af3a8d805e922a
SHA256

7d0e5ba752f278eade0152fc94f590d565f3f96737620f4084534de58d4f8187
SHA512

72fa297ac5b4616edf42349c564cff26cac5efddfdd0a9daa96c2aa70779247e43cccee1797d7856d09a4a8c356868587bc7496fa854d8bb615b2d4ecab4f342

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2602) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3444 mssecsvc.exe
4796 mssecsvc.exe
4232 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3992 4232 WerFault.exe tasksche.exe

pid	process
3444	mssecsvc.exe
4796	mssecsvc.exe
4232	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
3992	4232	WerFault.exe	tasksche.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 2492 wrote to memory of 3124	2492	rundll32.exe	rundll32.exe
PID 2492 wrote to memory of 3124	2492	rundll32.exe	rundll32.exe
PID 2492 wrote to memory of 3124	2492	rundll32.exe	rundll32.exe
PID 3124 wrote to memory of 3444	3124	rundll32.exe	mssecsvc.exe
PID 3124 wrote to memory of 3444	3124	rundll32.exe	mssecsvc.exe
PID 3124 wrote to memory of 3444	3124	rundll32.exe	mssecsvc.exe
PID 3444 wrote to memory of 4232	3444	mssecsvc.exe	tasksche.exe
PID 3444 wrote to memory of 4232	3444	mssecsvc.exe	tasksche.exe
PID 3444 wrote to memory of 4232	3444	mssecsvc.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd59384c604a5f9e447adc1e97e95291.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd59384c604a5f9e447adc1e97e95291.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3124

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3444

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 216
5⤵
- Program crash
PID:3992

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 4232
1⤵
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
747ff3b923618f9c579309bc33fe9f64

SHA1
8a44b79f0042393ffc568ba16968e02f8b20d5cd

SHA256
4651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679

SHA512
5a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
3.4MB

MD5
c8e7ed224160ab24e4232f5e6fd8bc08

SHA1
8bcbe1b427c7c65810d25d5e1bd6788073ab037d

SHA256
7176e96fab482a3569ae24b2dbdb81720cfc354199923294aafca76d7be28c8b

SHA512
dd063fc9a0ba9b0743eea55f6f040ed350598e0adb3545054727b52ddac6aef02f6dd5fbc395520a0d21da18b85a6b69d353bcb1fe3413f1f67ec18e26d89cb8

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
747ff3b923618f9c579309bc33fe9f64

SHA1
8a44b79f0042393ffc568ba16968e02f8b20d5cd

SHA256
4651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679

SHA512
5a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
747ff3b923618f9c579309bc33fe9f64

SHA1
8a44b79f0042393ffc568ba16968e02f8b20d5cd

SHA256
4651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679

SHA512
5a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
c8e7ed224160ab24e4232f5e6fd8bc08

SHA1
8bcbe1b427c7c65810d25d5e1bd6788073ab037d

SHA256
7176e96fab482a3569ae24b2dbdb81720cfc354199923294aafca76d7be28c8b

SHA512
dd063fc9a0ba9b0743eea55f6f040ed350598e0adb3545054727b52ddac6aef02f6dd5fbc395520a0d21da18b85a6b69d353bcb1fe3413f1f67ec18e26d89cb8

Download Submit
memory/3124-130-0x0000000000000000-mapping.dmp

Download
memory/3444-131-0x0000000000000000-mapping.dmp

Download
memory/4232-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing