wannacry | 95f9847e020b97c1a3bc47d33c15da892958bb76c95153696eda1f13e454ddf5

General

Target

fa9bb5a74ad749bb95240fa0083b35c6.dll
Size

5.0MB
MD5

fa9bb5a74ad749bb95240fa0083b35c6
SHA1

f719d58e07c62fe657c7410605312c6214aaa80e
SHA256

95f9847e020b97c1a3bc47d33c15da892958bb76c95153696eda1f13e454ddf5
SHA512

84d18a8d85ed3e92703cd4a2fe9e5350d418ad6aea80adf6ac85e7cb4f821e183af6a8b2abca50b40654d0d462a4a2817e6d39d7d3ef17f90f0c0e67b6fe0771

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1269) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1912 mssecsvc.exe
1652 mssecsvc.exe
912 tasksche.exe

pid	process
1912	mssecsvc.exe
1652	mssecsvc.exe
912	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\06-5e-a2-7c-72-e4	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecisionTime = 700bc7f9de9bd801	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecisionTime = 700bc7f9de9bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadNetworkName = "Network 3"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 996 wrote to memory of 1600	996	rundll32.exe	rundll32.exe
PID 996 wrote to memory of 1600	996	rundll32.exe	rundll32.exe
PID 996 wrote to memory of 1600	996	rundll32.exe	rundll32.exe
PID 996 wrote to memory of 1600	996	rundll32.exe	rundll32.exe
PID 996 wrote to memory of 1600	996	rundll32.exe	rundll32.exe
PID 996 wrote to memory of 1600	996	rundll32.exe	rundll32.exe
PID 996 wrote to memory of 1600	996	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 1912	1600	rundll32.exe	mssecsvc.exe
PID 1600 wrote to memory of 1912	1600	rundll32.exe	mssecsvc.exe
PID 1600 wrote to memory of 1912	1600	rundll32.exe	mssecsvc.exe
PID 1600 wrote to memory of 1912	1600	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa9bb5a74ad749bb95240fa0083b35c6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa9bb5a74ad749bb95240fa0083b35c6.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1600

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:912

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
dd9c27cab3dd0131d886d09f9cd68e72

SHA1
7410c25403515861e3cf9ef18ecb04fdd809da5d

SHA256
1727394428b5277b0c32931f15d2a464970b2f3647545c0126628891868db4d6

SHA512
15e4df392e45685ce63853a06753bcb3fdae1097d2c878fc4c03069610bdea7ba95baf892cfc9e5c526d7b8246856049368d88f78e9a25f6ca53b92a0d5ccd36

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
dd9c27cab3dd0131d886d09f9cd68e72

SHA1
7410c25403515861e3cf9ef18ecb04fdd809da5d

SHA256
1727394428b5277b0c32931f15d2a464970b2f3647545c0126628891868db4d6

SHA512
15e4df392e45685ce63853a06753bcb3fdae1097d2c878fc4c03069610bdea7ba95baf892cfc9e5c526d7b8246856049368d88f78e9a25f6ca53b92a0d5ccd36

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
dd9c27cab3dd0131d886d09f9cd68e72

SHA1
7410c25403515861e3cf9ef18ecb04fdd809da5d

SHA256
1727394428b5277b0c32931f15d2a464970b2f3647545c0126628891868db4d6

SHA512
15e4df392e45685ce63853a06753bcb3fdae1097d2c878fc4c03069610bdea7ba95baf892cfc9e5c526d7b8246856049368d88f78e9a25f6ca53b92a0d5ccd36

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9c41886937fa59911c99a546c54a6a6b

SHA1
065317b9c188e612d9a32ad41d7158d803c96f3d

SHA256
c71a6b911888a1144215f78c3f89c41532de72e36498565183a5f7e0150a3d01

SHA512
9774e4d89b772ca63389f72a2f89b44e5ab4fef8607cc873e9b904dd3e2b5a982856dd42e4d2c37b9b97fd8bd193b8fa3ce187b28ecc1f688202c125932535ab

Download Submit
memory/1600-54-0x0000000000000000-mapping.dmp

Download
memory/1600-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1912-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads