wannacry | a414c88ea3abea18940a7cfa966006ec106c8194854dca735791340516a6ddbd

General

Target

7f97f07acd6ebae1ae1e25728c8e5718.dll
Size

5.0MB
MD5

7f97f07acd6ebae1ae1e25728c8e5718
SHA1

f0a286bbd4954fa0a3c70cda523b51e3f5a873dd
SHA256

a414c88ea3abea18940a7cfa966006ec106c8194854dca735791340516a6ddbd
SHA512

10b56fdfac0612f72cfbecc274f9b43647fc4658a38cf11af9847a9be140d47861d76481004ac94a41026e3ea772376127ebcd7e6b6add441d9aa93e697c2b6d

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (628) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1812 mssecsvc.exe
620 mssecsvc.exe
392 tasksche.exe

pid	process
1812	mssecsvc.exe
620	mssecsvc.exe
392	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\WpadDecisionTime = b0252a66e29bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-42-93-21-4d-8b\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-42-93-21-4d-8b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-42-93-21-4d-8b\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\2a-42-93-21-4d-8b	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-42-93-21-4d-8b\WpadDecisionTime = b0252a66e29bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 608 wrote to memory of 1596	608	rundll32.exe	rundll32.exe
PID 608 wrote to memory of 1596	608	rundll32.exe	rundll32.exe
PID 608 wrote to memory of 1596	608	rundll32.exe	rundll32.exe
PID 608 wrote to memory of 1596	608	rundll32.exe	rundll32.exe
PID 608 wrote to memory of 1596	608	rundll32.exe	rundll32.exe
PID 608 wrote to memory of 1596	608	rundll32.exe	rundll32.exe
PID 608 wrote to memory of 1596	608	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 1812	1596	rundll32.exe	mssecsvc.exe
PID 1596 wrote to memory of 1812	1596	rundll32.exe	mssecsvc.exe
PID 1596 wrote to memory of 1812	1596	rundll32.exe	mssecsvc.exe
PID 1596 wrote to memory of 1812	1596	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f97f07acd6ebae1ae1e25728c8e5718.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f97f07acd6ebae1ae1e25728c8e5718.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1596

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1812

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:392

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
fdd413bd48b8e870615b57b6d70e919a

SHA1
7b5db8f9695da121ad5ab038a763971c5fac8bdd

SHA256
ab312f2bc2503ae9e62ae95df973f729f13ee5dc923b0a1fe599b490f9a78b2d

SHA512
aa15905f21a790ddbbe8ac0928b955de9bc0f1bc771effdf8e1128ace3de97c53c3f1e3541d17f7a85b7f1afc6b4f5c4828663f24a45a9eab1df7fef25e911f1

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
fdd413bd48b8e870615b57b6d70e919a

SHA1
7b5db8f9695da121ad5ab038a763971c5fac8bdd

SHA256
ab312f2bc2503ae9e62ae95df973f729f13ee5dc923b0a1fe599b490f9a78b2d

SHA512
aa15905f21a790ddbbe8ac0928b955de9bc0f1bc771effdf8e1128ace3de97c53c3f1e3541d17f7a85b7f1afc6b4f5c4828663f24a45a9eab1df7fef25e911f1

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
fdd413bd48b8e870615b57b6d70e919a

SHA1
7b5db8f9695da121ad5ab038a763971c5fac8bdd

SHA256
ab312f2bc2503ae9e62ae95df973f729f13ee5dc923b0a1fe599b490f9a78b2d

SHA512
aa15905f21a790ddbbe8ac0928b955de9bc0f1bc771effdf8e1128ace3de97c53c3f1e3541d17f7a85b7f1afc6b4f5c4828663f24a45a9eab1df7fef25e911f1

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3cd12bc33759850852afe8ecdc8ab09f

SHA1
8ed34809398e16f470eca7bc33142be36de7ae44

SHA256
360768fb57d8baa76fe544fb52893bca68f48e07f486263d2a187274cb3548cc

SHA512
0a5702fdfe5576d7da1880a771c99b74e85c01c56d11a65ec0f1a28e27ddba50a0ec23ad596dd4d8249e41a847ce0e9ee8bece9bf4198dd85180b3d61fc6d23a

Download Submit
memory/1596-54-0x0000000000000000-mapping.dmp

Download
memory/1596-55-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1812-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads