wannacry | 8d7960d4c8943d901f5e435bcc4406027ba814733b0b3c2e16f8b265df83dd53

General

Target

ecce5039634ff774782109f78831fab2.dll
Size

5.0MB
MD5

ecce5039634ff774782109f78831fab2
SHA1

201cf971c2c4aa8e99121ccc1b4f403730d0ade8
SHA256

8d7960d4c8943d901f5e435bcc4406027ba814733b0b3c2e16f8b265df83dd53
SHA512

3ee99d676596885435f616e13dcb356e2f5d7733da8387ae780f32a86179b4cfb721525f789af4d2fa6f3ad7bd6204b1885a0a06c9f9bb84bc2ece54c3351ec7

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (965) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

888 mssecsvc.exe
1152 mssecsvc.exe
392 tasksche.exe

pid	process
888	mssecsvc.exe
1152	mssecsvc.exe
392	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\aa-9a-b0-7d-5c-4f	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9a-b0-7d-5c-4f\WpadDecisionTime = d0f4dc64e29bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\WpadDecisionTime = d0f4dc64e29bd801	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9a-b0-7d-5c-4f	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9a-b0-7d-5c-4f\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00be000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9a-b0-7d-5c-4f\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1028 wrote to memory of 1888	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1888	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1888	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1888	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1888	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1888	1028	rundll32.exe	rundll32.exe
PID 1028 wrote to memory of 1888	1028	rundll32.exe	rundll32.exe
PID 1888 wrote to memory of 888	1888	rundll32.exe	mssecsvc.exe
PID 1888 wrote to memory of 888	1888	rundll32.exe	mssecsvc.exe
PID 1888 wrote to memory of 888	1888	rundll32.exe	mssecsvc.exe
PID 1888 wrote to memory of 888	1888	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecce5039634ff774782109f78831fab2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ecce5039634ff774782109f78831fab2.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1888

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:888

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:392

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
a425528f249d2888378de9f8300af9cb

SHA1
d4987b17422d3ab83307a8358d1749a717d3fd1b

SHA256
4306cb0038e00851ab6c9989adfcf5c9ea9107a4fb3552dc9d7732622c1111af

SHA512
f749b65cc8c0bcb9cbf5c5219f25ceb713f239c716cb6a2ba373e2cd2613bdb92818c6e0b907bf4f9d5c8a31598e306ca4f966eff4e492bb05ac40301fb20617

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a425528f249d2888378de9f8300af9cb

SHA1
d4987b17422d3ab83307a8358d1749a717d3fd1b

SHA256
4306cb0038e00851ab6c9989adfcf5c9ea9107a4fb3552dc9d7732622c1111af

SHA512
f749b65cc8c0bcb9cbf5c5219f25ceb713f239c716cb6a2ba373e2cd2613bdb92818c6e0b907bf4f9d5c8a31598e306ca4f966eff4e492bb05ac40301fb20617

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a425528f249d2888378de9f8300af9cb

SHA1
d4987b17422d3ab83307a8358d1749a717d3fd1b

SHA256
4306cb0038e00851ab6c9989adfcf5c9ea9107a4fb3552dc9d7732622c1111af

SHA512
f749b65cc8c0bcb9cbf5c5219f25ceb713f239c716cb6a2ba373e2cd2613bdb92818c6e0b907bf4f9d5c8a31598e306ca4f966eff4e492bb05ac40301fb20617

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
79bc33ad0c61b11edca10c373137ace7

SHA1
5c56289d0fdb2391f8c36c5fcca1085ab28f8b52

SHA256
f9fdf806b56b1b71fcab1613d3c1761bdae006d432e3508bd16a6b04e092320f

SHA512
7acffdbe1435fe45108010c4dfc6150d44b66e04df533d749276912ece7a9724e87b10e9c71c6da4b84d80712126d7775dd34cb5d72eb02f13cadbc35ca5d0c5

Download Submit
memory/888-56-0x0000000000000000-mapping.dmp

Download
memory/1888-54-0x0000000000000000-mapping.dmp

Download
memory/1888-55-0x0000000075DC1000-0x0000000075DC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads