wannacry | 24ee543a7b55c9737f32d04577660d274670a9394f7442710940f890f9a858cb

General

Target

db46a4b5602028e2dfbfe66f18ddb03e.dll
Size

5.0MB
MD5

db46a4b5602028e2dfbfe66f18ddb03e
SHA1

9fd7d3d26e152c61d34d02b5279a03d590cb6276
SHA256

24ee543a7b55c9737f32d04577660d274670a9394f7442710940f890f9a858cb
SHA512

42a14d80b222fe2a681d62426398c3fbc7dc8341045b7c7fa0c7ad7eba5830c56db26da151f6e7469d5bf8e87df36cac94ef27dfd2e02f7f6c104a0cbe674155

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3181) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

4168 mssecsvr.exe
4780 mssecsvr.exe
2180 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

pid	process
4168	mssecsvr.exe
4780	mssecsvr.exe
2180	tasksche.exe

Drops file in Windows directory 4 IoCs

Processes:

mssecsvr.exetasksche.exerundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240568718	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exe

description	pid	process	target process
PID 4060 wrote to memory of 4584	4060	rundll32.exe	rundll32.exe
PID 4060 wrote to memory of 4584	4060	rundll32.exe	rundll32.exe
PID 4060 wrote to memory of 4584	4060	rundll32.exe	rundll32.exe
PID 4584 wrote to memory of 4168	4584	rundll32.exe	mssecsvr.exe
PID 4584 wrote to memory of 4168	4584	rundll32.exe	mssecsvr.exe
PID 4584 wrote to memory of 4168	4584	rundll32.exe	mssecsvr.exe
PID 4168 wrote to memory of 2180	4168	mssecsvr.exe	tasksche.exe
PID 4168 wrote to memory of 2180	4168	mssecsvr.exe	tasksche.exe
PID 4168 wrote to memory of 2180	4168	mssecsvr.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db46a4b5602028e2dfbfe66f18ddb03e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db46a4b5602028e2dfbfe66f18ddb03e.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4584

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4168

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2180

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
49f826ec9f9616dd4bdc60adb295a192

SHA1
d548b2ef2dd8dd00eab22678a69449e80dca154b

SHA256
a82bd3c02c58381abed46b0dd4758d00c3f5ea4675cbf65ff67f26686f43985a

SHA512
006f5b043a950d39d9bb8baea7919ce8a9f8120166fcb2a01fdd1bef1fd1f5db20b4c8141a90b52f67a8a4f51fb83658be28820754c72c7f8ff15889d6193709

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
2.0MB

MD5
4ea2a08593aca265499ebca88db8d086

SHA1
5d9427fc8304d771c9518ede2cd32bdb21cc712f

SHA256
e288d806266c50e3aaf13fa7fbd587a81f9858e2857200328d493f627f74e891

SHA512
76af1d8e74a59bc6ff55e9395251f32f8c7ac7416b0b3d3115f2fc04e723beae3c1e5d8ca42d1e27d27ec8d05e61f6b0bf3d1d5390ea2ac79b99ff6cd9b3c57a

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
49f826ec9f9616dd4bdc60adb295a192

SHA1
d548b2ef2dd8dd00eab22678a69449e80dca154b

SHA256
a82bd3c02c58381abed46b0dd4758d00c3f5ea4675cbf65ff67f26686f43985a

SHA512
006f5b043a950d39d9bb8baea7919ce8a9f8120166fcb2a01fdd1bef1fd1f5db20b4c8141a90b52f67a8a4f51fb83658be28820754c72c7f8ff15889d6193709

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
49f826ec9f9616dd4bdc60adb295a192

SHA1
d548b2ef2dd8dd00eab22678a69449e80dca154b

SHA256
a82bd3c02c58381abed46b0dd4758d00c3f5ea4675cbf65ff67f26686f43985a

SHA512
006f5b043a950d39d9bb8baea7919ce8a9f8120166fcb2a01fdd1bef1fd1f5db20b4c8141a90b52f67a8a4f51fb83658be28820754c72c7f8ff15889d6193709

Download Submit
C:\Windows\tasksche.exe
Filesize
2.0MB

MD5
4ea2a08593aca265499ebca88db8d086

SHA1
5d9427fc8304d771c9518ede2cd32bdb21cc712f

SHA256
e288d806266c50e3aaf13fa7fbd587a81f9858e2857200328d493f627f74e891

SHA512
76af1d8e74a59bc6ff55e9395251f32f8c7ac7416b0b3d3115f2fc04e723beae3c1e5d8ca42d1e27d27ec8d05e61f6b0bf3d1d5390ea2ac79b99ff6cd9b3c57a

Download Submit
memory/2180-135-0x0000000000000000-mapping.dmp

Download
memory/4168-131-0x0000000000000000-mapping.dmp

Download
memory/4584-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads