wannacry | 6448d228f342fb138a747f8fa317b004553f36f83fdd1b200baf80b7b9d9f5da

General

Target

2de468a78a23789fd3ae2715b08b919a.dll
Size

5.0MB
MD5

2de468a78a23789fd3ae2715b08b919a
SHA1

b552f34a006c309706ea1d4294f7e75a078beda3
SHA256

6448d228f342fb138a747f8fa317b004553f36f83fdd1b200baf80b7b9d9f5da
SHA512

83a622c6b4c59becffa9d3306e0a24db9e840f316a4f16ceac6f2294706a987f9fd48d1827560252134e6017f81269eedc2219624e4feb50688053d0e711c529

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (991) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1812 mssecsvc.exe
516 mssecsvc.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A8E94B1C-2757-4A54-96B6-334B6EEB242A}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A8E94B1C-2757-4A54-96B6-334B6EEB242A}\WpadDecisionTime = 508b98f7e19bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A8E94B1C-2757-4A54-96B6-334B6EEB242A}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5c-1d-0c-23-5f\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A8E94B1C-2757-4A54-96B6-334B6EEB242A}\3a-5c-1d-0c-23-5f	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5c-1d-0c-23-5f\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A8E94B1C-2757-4A54-96B6-334B6EEB242A}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A8E94B1C-2757-4A54-96B6-334B6EEB242A}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5c-1d-0c-23-5f	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5c-1d-0c-23-5f\WpadDecisionTime = 508b98f7e19bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ca000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1812 mssecsvc.exe
516 mssecsvc.exe

Suspicious behavior: MapViewOfSection 46 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
1812	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe
516	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 1812 mssecsvc.exe
Token: SeDebugPrivilege 516 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	1812	mssecsvc.exe
Token: SeDebugPrivilege	516	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1976 wrote to memory of 1952	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1952	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1952	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1952	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1952	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1952	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1952	1976	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 1812	1952	rundll32.exe	mssecsvc.exe
PID 1952 wrote to memory of 1812	1952	rundll32.exe	mssecsvc.exe
PID 1952 wrote to memory of 1812	1952	rundll32.exe	mssecsvc.exe
PID 1952 wrote to memory of 1812	1952	rundll32.exe	mssecsvc.exe
PID 1812 wrote to memory of 368	1812	mssecsvc.exe	wininit.exe
PID 1812 wrote to memory of 368	1812	mssecsvc.exe	wininit.exe
PID 1812 wrote to memory of 368	1812	mssecsvc.exe	wininit.exe
PID 1812 wrote to memory of 368	1812	mssecsvc.exe	wininit.exe
PID 1812 wrote to memory of 368	1812	mssecsvc.exe	wininit.exe
PID 1812 wrote to memory of 368	1812	mssecsvc.exe	wininit.exe
PID 1812 wrote to memory of 368	1812	mssecsvc.exe	wininit.exe
PID 1812 wrote to memory of 380	1812	mssecsvc.exe	csrss.exe
PID 1812 wrote to memory of 380	1812	mssecsvc.exe	csrss.exe
PID 1812 wrote to memory of 380	1812	mssecsvc.exe	csrss.exe
PID 1812 wrote to memory of 380	1812	mssecsvc.exe	csrss.exe
PID 1812 wrote to memory of 380	1812	mssecsvc.exe	csrss.exe
PID 1812 wrote to memory of 380	1812	mssecsvc.exe	csrss.exe
PID 1812 wrote to memory of 380	1812	mssecsvc.exe	csrss.exe
PID 1812 wrote to memory of 416	1812	mssecsvc.exe	winlogon.exe
PID 1812 wrote to memory of 416	1812	mssecsvc.exe	winlogon.exe
PID 1812 wrote to memory of 416	1812	mssecsvc.exe	winlogon.exe
PID 1812 wrote to memory of 416	1812	mssecsvc.exe	winlogon.exe
PID 1812 wrote to memory of 416	1812	mssecsvc.exe	winlogon.exe
PID 1812 wrote to memory of 416	1812	mssecsvc.exe	winlogon.exe
PID 1812 wrote to memory of 416	1812	mssecsvc.exe	winlogon.exe
PID 1812 wrote to memory of 464	1812	mssecsvc.exe	services.exe
PID 1812 wrote to memory of 464	1812	mssecsvc.exe	services.exe
PID 1812 wrote to memory of 464	1812	mssecsvc.exe	services.exe
PID 1812 wrote to memory of 464	1812	mssecsvc.exe	services.exe
PID 1812 wrote to memory of 464	1812	mssecsvc.exe	services.exe
PID 1812 wrote to memory of 464	1812	mssecsvc.exe	services.exe
PID 1812 wrote to memory of 464	1812	mssecsvc.exe	services.exe
PID 1812 wrote to memory of 472	1812	mssecsvc.exe	lsass.exe
PID 1812 wrote to memory of 472	1812	mssecsvc.exe	lsass.exe
PID 1812 wrote to memory of 472	1812	mssecsvc.exe	lsass.exe
PID 1812 wrote to memory of 472	1812	mssecsvc.exe	lsass.exe
PID 1812 wrote to memory of 472	1812	mssecsvc.exe	lsass.exe
PID 1812 wrote to memory of 472	1812	mssecsvc.exe	lsass.exe
PID 1812 wrote to memory of 472	1812	mssecsvc.exe	lsass.exe
PID 1812 wrote to memory of 480	1812	mssecsvc.exe	lsm.exe
PID 1812 wrote to memory of 480	1812	mssecsvc.exe	lsm.exe
PID 1812 wrote to memory of 480	1812	mssecsvc.exe	lsm.exe
PID 1812 wrote to memory of 480	1812	mssecsvc.exe	lsm.exe
PID 1812 wrote to memory of 480	1812	mssecsvc.exe	lsm.exe
PID 1812 wrote to memory of 480	1812	mssecsvc.exe	lsm.exe
PID 1812 wrote to memory of 480	1812	mssecsvc.exe	lsm.exe
PID 1812 wrote to memory of 596	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 596	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 596	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 596	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 596	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 596	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 596	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 672	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 672	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 672	1812	mssecsvc.exe	svchost.exe
PID 1812 wrote to memory of 672	1812	mssecsvc.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
3⤵
PID:1920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
3⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:840

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:108

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2de468a78a23789fd3ae2715b08b919a.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2de468a78a23789fd3ae2715b08b919a.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1928

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\MSSECSVC.EXE
Filesize
3.6MB

MD5
d67ed037dc59a12f853ad3e2022b8aae

SHA1
ef95fd53062ca7288053029903e4e20c4fd87f22

SHA256
6a6f35646216bcaa415983f3e5ab4196e72da131bb70af2ef6191d63f938dcab

SHA512
3441e18099af9cb9612783c125b9bf65786c15b9928c2f128cc2b66100c68afd05e87194d5d36248001845cfaee7bd67dd9c2a4f3595044c96661d8847211497

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d67ed037dc59a12f853ad3e2022b8aae

SHA1
ef95fd53062ca7288053029903e4e20c4fd87f22

SHA256
6a6f35646216bcaa415983f3e5ab4196e72da131bb70af2ef6191d63f938dcab

SHA512
3441e18099af9cb9612783c125b9bf65786c15b9928c2f128cc2b66100c68afd05e87194d5d36248001845cfaee7bd67dd9c2a4f3595044c96661d8847211497

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d67ed037dc59a12f853ad3e2022b8aae

SHA1
ef95fd53062ca7288053029903e4e20c4fd87f22

SHA256
6a6f35646216bcaa415983f3e5ab4196e72da131bb70af2ef6191d63f938dcab

SHA512
3441e18099af9cb9612783c125b9bf65786c15b9928c2f128cc2b66100c68afd05e87194d5d36248001845cfaee7bd67dd9c2a4f3595044c96661d8847211497

Download Submit
memory/516-65-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1812-56-0x0000000000000000-mapping.dmp

Download
memory/1812-59-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1812-64-0x000000007EF80000-0x000000007EF8C000-memory.dmp

Filesize
48KB

Download
memory/1812-63-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1952-54-0x0000000000000000-mapping.dmp

Download
memory/1952-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads