wannacry | 778a55a3dab38862e2eda45f619cdb44baa804a1c165f0db8c600ec1b1faaf64

General

Target

16ce86d5d1cf3e2dd93aaec1b3394ef2.dll
Size

5.0MB
MD5

16ce86d5d1cf3e2dd93aaec1b3394ef2
SHA1

5dae16978a5b8f1964e04ac2145541b0ad2b52f3
SHA256

778a55a3dab38862e2eda45f619cdb44baa804a1c165f0db8c600ec1b1faaf64
SHA512

117bae2ed24ff5d39d18a9d7209ef9ef56c8c21977b4c268123ac5df46d294254603113aba45b74183556fe7ac8b00375322b071e5cb4a491d2704cd47706f39

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

536 mssecsvc.exe
1760 mssecsvc.exe
1236 tasksche.exe

pid	process
536	mssecsvc.exe
1760	mssecsvc.exe
1236	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecisionTime = 00547830e29bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecisionTime = 00547830e29bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\a2-7a-30-fb-3f-0e	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2036 wrote to memory of 1276	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1276	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1276	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1276	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1276	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1276	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 1276	2036	rundll32.exe	rundll32.exe
PID 1276 wrote to memory of 536	1276	rundll32.exe	mssecsvc.exe
PID 1276 wrote to memory of 536	1276	rundll32.exe	mssecsvc.exe
PID 1276 wrote to memory of 536	1276	rundll32.exe	mssecsvc.exe
PID 1276 wrote to memory of 536	1276	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16ce86d5d1cf3e2dd93aaec1b3394ef2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16ce86d5d1cf3e2dd93aaec1b3394ef2.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1276

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:536

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1236

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
a0cb6b0dc5d228429065fbc33c2f585d

SHA1
07726f67a00ad36476dfa5dca830129324d6b223

SHA256
06fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3

SHA512
89680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a0cb6b0dc5d228429065fbc33c2f585d

SHA1
07726f67a00ad36476dfa5dca830129324d6b223

SHA256
06fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3

SHA512
89680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a0cb6b0dc5d228429065fbc33c2f585d

SHA1
07726f67a00ad36476dfa5dca830129324d6b223

SHA256
06fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3

SHA512
89680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
ea7d7a7f1e10874a3e94cd08628083db

SHA1
41f862f9eeee5acf802eaf2bfc9b2c0bb862f82f

SHA256
06b22b278a2ebcf74be43cfee41826342cc118bb570e7833ecf53e1d1a521ba6

SHA512
9a85dedc93b8bf73cf8d58eadd0b536c4c7c0ecc03af1bf4ffb40561e3eb72a8eaa7f3fca070f2afd47334365adba941df7e3b3fcfa23f7762a97fa4d4897bed

Download Submit
memory/536-56-0x0000000000000000-mapping.dmp

Download
memory/1276-54-0x0000000000000000-mapping.dmp

Download
memory/1276-55-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads