wannacry | 190dc8bbf160ad52059047cdcac0eda73e6a9d8119d6b42d57cf33a35df83fec

General

Target

5e9c5a51094fa1c3d88fd30cd5c4934c.dll
Size

5.0MB
MD5

5e9c5a51094fa1c3d88fd30cd5c4934c
SHA1

c89cf3fa904e833856d809a7117e3a33b34c90f6
SHA256

190dc8bbf160ad52059047cdcac0eda73e6a9d8119d6b42d57cf33a35df83fec
SHA512

5417ded155fb88be401ee13addbf8f0f28915deaab9e76850db6b42a5e56e174c0efe994138f2389c11c3908877cc06034b581a7a33a54e8250b687f7a384a76

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1968 mssecsvc.exe
1612 mssecsvc.exe
1704 tasksche.exe

pid	process
1968	mssecsvc.exe
1612	mssecsvc.exe
1704	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-35-a4-69-4c-20\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fe000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-35-a4-69-4c-20	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-35-a4-69-4c-20\WpadDecisionTime = c0198552c99bd801	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\a2-35-a4-69-4c-20	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\WpadDecisionTime = c0198552c99bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-35-a4-69-4c-20\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1968	1148	rundll32.exe	mssecsvc.exe
PID 1148 wrote to memory of 1968	1148	rundll32.exe	mssecsvc.exe
PID 1148 wrote to memory of 1968	1148	rundll32.exe	mssecsvc.exe
PID 1148 wrote to memory of 1968	1148	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e9c5a51094fa1c3d88fd30cd5c4934c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e9c5a51094fa1c3d88fd30cd5c4934c.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1968

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1704

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
e6a5f18d9fb21a5f0272657404773dd7

SHA1
3d5cae9c2f57b32788d8e046857bf19933622b2c

SHA256
df06a81ec30ecafa9cda12fd568134dbda4d28902d4278164d3d60dbd1281cdc

SHA512
4710d55a450da50b2e2138494b6e8161c263c3047f3477f18add5ca8e72c5637d17e268c326d1eec49ba0ca281ed1adda4739a997958dacf64bdbb0b0015355f

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e6a5f18d9fb21a5f0272657404773dd7

SHA1
3d5cae9c2f57b32788d8e046857bf19933622b2c

SHA256
df06a81ec30ecafa9cda12fd568134dbda4d28902d4278164d3d60dbd1281cdc

SHA512
4710d55a450da50b2e2138494b6e8161c263c3047f3477f18add5ca8e72c5637d17e268c326d1eec49ba0ca281ed1adda4739a997958dacf64bdbb0b0015355f

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e6a5f18d9fb21a5f0272657404773dd7

SHA1
3d5cae9c2f57b32788d8e046857bf19933622b2c

SHA256
df06a81ec30ecafa9cda12fd568134dbda4d28902d4278164d3d60dbd1281cdc

SHA512
4710d55a450da50b2e2138494b6e8161c263c3047f3477f18add5ca8e72c5637d17e268c326d1eec49ba0ca281ed1adda4739a997958dacf64bdbb0b0015355f

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
e53eca70af35bcd7f7afd4dcc3f49dae

SHA1
bdf8f0c559ba71c0e66c06164768573c33d0e774

SHA256
b18fb7c3a78546b005e0d6efe496168181c4d9ba8a03d75508f94990d021f016

SHA512
e6e113fc4d454f2756d3611db8c32f1f7491414a42341bfddc709b634180adf903125f14f1e31300afa552afba17edef8e323643c47579eabef1aae7aae2ade8

Download Submit
memory/1148-54-0x0000000000000000-mapping.dmp

Download
memory/1148-55-0x00000000765D1000-0x00000000765D3000-memory.dmp

Filesize
8KB

Download
memory/1968-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads