wannacry | 75cb9bdda5938f729989ffcc4359c9696c23ff2fd31f0ac46aafd3c62f8b14d1

General

Target

1979f40a1a6ea5d1b3765d51106e1a59.dll
Size

5.0MB
MD5

1979f40a1a6ea5d1b3765d51106e1a59
SHA1

fa2aabea035923395843146ee3c94b80776a1911
SHA256

75cb9bdda5938f729989ffcc4359c9696c23ff2fd31f0ac46aafd3c62f8b14d1
SHA512

ec2d6234ce758e31d56cb0f7f6666bbecd731adae0d7d9fe1d98fa79af37aa65a23eb3deabd261b2743c690f29361b183736cded9203e933ec36c3af8fc1fe3d

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1543) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1560 mssecsvc.exe
1248 mssecsvc.exe
1772 tasksche.exe

pid	process
1560	mssecsvc.exe
1248	mssecsvc.exe
1772	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecisionTime = 90d46a1fd29bd801	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecisionTime = 90d46a1fd29bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\ae-1d-a5-c5-14-08	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1836 wrote to memory of 2024	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 2024	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 2024	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 2024	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 2024	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 2024	1836	rundll32.exe	rundll32.exe
PID 1836 wrote to memory of 2024	1836	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1979f40a1a6ea5d1b3765d51106e1a59.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1979f40a1a6ea5d1b3765d51106e1a59.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1560

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1772

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
56a011bd22804db1f0dd157564ed43a2

SHA1
e2c910f85f8788aa2d8ac98e4654831a44dcb138

SHA256
ace331ef636ed0aac15f44052ed151fdceef40ad9163b20e940804713f20f7d6

SHA512
9bbe82da7a81d133c610de4983d8ac3aa3ec37f59fd74b0f620afe113ad28f943cabc59053513be22b3338e10ee4c552cc7f99025692ffac1f1c7f57decfc713

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
56a011bd22804db1f0dd157564ed43a2

SHA1
e2c910f85f8788aa2d8ac98e4654831a44dcb138

SHA256
ace331ef636ed0aac15f44052ed151fdceef40ad9163b20e940804713f20f7d6

SHA512
9bbe82da7a81d133c610de4983d8ac3aa3ec37f59fd74b0f620afe113ad28f943cabc59053513be22b3338e10ee4c552cc7f99025692ffac1f1c7f57decfc713

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
56a011bd22804db1f0dd157564ed43a2

SHA1
e2c910f85f8788aa2d8ac98e4654831a44dcb138

SHA256
ace331ef636ed0aac15f44052ed151fdceef40ad9163b20e940804713f20f7d6

SHA512
9bbe82da7a81d133c610de4983d8ac3aa3ec37f59fd74b0f620afe113ad28f943cabc59053513be22b3338e10ee4c552cc7f99025692ffac1f1c7f57decfc713

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/1560-56-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000000000000-mapping.dmp

Download
memory/2024-55-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads