wannacry | c8db12d4e1b926b79ef7857e91b34e909b8024c3eaaab8580e4e1d157eaa726f

General

Target

2a3576b7a781ed83ef73954c33b235f9.dll
Size

5.0MB
MD5

2a3576b7a781ed83ef73954c33b235f9
SHA1

89da95dd1f288ad96ed5e79907bd7eeb1e5af63f
SHA256

c8db12d4e1b926b79ef7857e91b34e909b8024c3eaaab8580e4e1d157eaa726f
SHA512

4cdd8839a5efbdff79a6fb44abc7e8f934d6ac50b63838a149e3635ff398bb28424375340c3b756fb1400382680a3a702d00cd38756e0be1815292645ca78db1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2008 mssecsvc.exe
1228 mssecsvc.exe
1716 tasksche.exe

pid	process
2008	mssecsvc.exe
1228	mssecsvc.exe
1716	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 884 wrote to memory of 1044	884	rundll32.exe	rundll32.exe
PID 884 wrote to memory of 1044	884	rundll32.exe	rundll32.exe
PID 884 wrote to memory of 1044	884	rundll32.exe	rundll32.exe
PID 884 wrote to memory of 1044	884	rundll32.exe	rundll32.exe
PID 884 wrote to memory of 1044	884	rundll32.exe	rundll32.exe
PID 884 wrote to memory of 1044	884	rundll32.exe	rundll32.exe
PID 884 wrote to memory of 1044	884	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	mssecsvc.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	mssecsvc.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	mssecsvc.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3576b7a781ed83ef73954c33b235f9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3576b7a781ed83ef73954c33b235f9.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1044

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2008

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1716

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
0f9632795175be3e6c78137870eee044

SHA1
b8d48e7f0f3410424d42f8f6b706086260731017

SHA256
329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba

SHA512
a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0f9632795175be3e6c78137870eee044

SHA1
b8d48e7f0f3410424d42f8f6b706086260731017

SHA256
329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba

SHA512
a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0f9632795175be3e6c78137870eee044

SHA1
b8d48e7f0f3410424d42f8f6b706086260731017

SHA256
329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba

SHA512
a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a089e2e733a58751cab58ba261acc543

SHA1
5dfeb7e02d81bf5eb545c8993e49d48853ab30a9

SHA256
06a24b8386dfff1fa844846aafd8d9c5fda5c5687a84a3b53ffaf62d995498e3

SHA512
c5d924b45790f4687fddaf5bbb44200fd10d4016cc482cc9abff00f3ef725d6155f95a7934c81178bb5dde82ce8af93a2540cedfda0d7b3d7d90dce242268cb7

Download Submit
memory/1044-54-0x0000000000000000-mapping.dmp

Download
memory/1044-55-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1228-61-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1228-66-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2008-56-0x0000000000000000-mapping.dmp

Download
memory/2008-62-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2008-65-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing