wannacry | c1311ce03beb66c468b2478c728706a5a24ce90452bce5b489be8753cbb25dd1

General

Target

5c1a36ed5985d4ffc89e336964bbf269.dll
Size

5.0MB
MD5

5c1a36ed5985d4ffc89e336964bbf269
SHA1

49b6b44ce62ee79808137b0125d95e8f745f2e07
SHA256

c1311ce03beb66c468b2478c728706a5a24ce90452bce5b489be8753cbb25dd1
SHA512

fcac4679dd4ef848ca1054ffcfe9fe2fd4c9537b4046294dafcfa524ecbc6b318f6e93e72faec9ed04c6f933005eb2c5a06022fe7db0f1fafa3d0d0d4fe023bd

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1652 mssecsvc.exe
996 mssecsvc.exe
556 tasksche.exe

pid	process
1652	mssecsvc.exe
996	mssecsvc.exe
556	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-b6-0d-ab-9a-20\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-b6-0d-ab-9a-20\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-b6-0d-ab-9a-20\WpadDecisionTime = 60239a06e39bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\WpadDecisionTime = 60239a06e39bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\46-b6-0d-ab-9a-20	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-b6-0d-ab-9a-20	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1620 wrote to memory of 1668	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 1668	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 1668	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 1668	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 1668	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 1668	1620	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 1668	1620	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 1652	1668	rundll32.exe	mssecsvc.exe
PID 1668 wrote to memory of 1652	1668	rundll32.exe	mssecsvc.exe
PID 1668 wrote to memory of 1652	1668	rundll32.exe	mssecsvc.exe
PID 1668 wrote to memory of 1652	1668	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c1a36ed5985d4ffc89e336964bbf269.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c1a36ed5985d4ffc89e336964bbf269.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1652

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:556

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
220274c36705fe804ae6b2faaf99eb10

SHA1
9d190c6113ab466a9966ce550d40682e065479e7

SHA256
7a2eaa20332f03e4779b1dc31dff8704a06074708d07efb342c9ffbc5b2cbc0c

SHA512
69ee5d81bc870d2aee0470c66820572a6e5e6835a2f74a92bd111c188514894fa943b87f3302cdbc07eae54b589f3dabbd07a0e878acad61816fb9c4440ec08a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
220274c36705fe804ae6b2faaf99eb10

SHA1
9d190c6113ab466a9966ce550d40682e065479e7

SHA256
7a2eaa20332f03e4779b1dc31dff8704a06074708d07efb342c9ffbc5b2cbc0c

SHA512
69ee5d81bc870d2aee0470c66820572a6e5e6835a2f74a92bd111c188514894fa943b87f3302cdbc07eae54b589f3dabbd07a0e878acad61816fb9c4440ec08a

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
220274c36705fe804ae6b2faaf99eb10

SHA1
9d190c6113ab466a9966ce550d40682e065479e7

SHA256
7a2eaa20332f03e4779b1dc31dff8704a06074708d07efb342c9ffbc5b2cbc0c

SHA512
69ee5d81bc870d2aee0470c66820572a6e5e6835a2f74a92bd111c188514894fa943b87f3302cdbc07eae54b589f3dabbd07a0e878acad61816fb9c4440ec08a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3adf6b96f2e61aa2d8295b4e39fb918a

SHA1
25f503afaccc40f3dec5e15dedc319d84c011699

SHA256
49de68ee93acd2e1fd0054e1f0d9aae9d40a75383ad085744a34f6a7e001de9f

SHA512
a5f95d7d4636c87d5b81d9e60337dd13c712a8f91ee7c06911f21ccb3b6d41c6bb992ceb08fc9b1d79a2a8ff1f2d53f2fb34cfe34f864c1c7f137a743ddde374

Download Submit
memory/1652-56-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000000000000-mapping.dmp

Download
memory/1668-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads