wannacry | 1ce398fce3e08622711cb74eb06650dc6ef1d4df3bd928261cc4e5b627b7c7fe

General

Target

4f57b58c0c42d0dfbf27b46b02637434.dll
Size

5.0MB
MD5

4f57b58c0c42d0dfbf27b46b02637434
SHA1

d0aac992276be7ec15af54481ce127bf5e05958f
SHA256

1ce398fce3e08622711cb74eb06650dc6ef1d4df3bd928261cc4e5b627b7c7fe
SHA512

be5632be64efd94281a41a08c0db3d1362abf4210a05c52e1cc2a61abc0ea59bff53211130fa66d7d952ae24721f1fc2978051c007809097b6055b9f6d407cd1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1364 mssecsvc.exe
1788 mssecsvc.exe
1720 tasksche.exe

pid	process
1364	mssecsvc.exe
1788	mssecsvc.exe
1720	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\WpadDecisionTime = 60369626eb9bd801	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-75-a7-dd-b9-dc\WpadDecisionTime = 60369626eb9bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-75-a7-dd-b9-dc\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-75-a7-dd-b9-dc	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\06-75-a7-dd-b9-dc	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-75-a7-dd-b9-dc\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1800 wrote to memory of 1224	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1224	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1224	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1224	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1224	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1224	1800	rundll32.exe	rundll32.exe
PID 1800 wrote to memory of 1224	1800	rundll32.exe	rundll32.exe
PID 1224 wrote to memory of 1364	1224	rundll32.exe	mssecsvc.exe
PID 1224 wrote to memory of 1364	1224	rundll32.exe	mssecsvc.exe
PID 1224 wrote to memory of 1364	1224	rundll32.exe	mssecsvc.exe
PID 1224 wrote to memory of 1364	1224	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f57b58c0c42d0dfbf27b46b02637434.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f57b58c0c42d0dfbf27b46b02637434.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1224

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1364

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1720

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
85a754c71ed3bff7699d646f84bf7ed4

SHA1
21369d13f6e7ee1ae357c4782427aa3efb702914

SHA256
3270602c4180c5852729667323899773bb6aed20cfd8009d92300c61f86949ac

SHA512
6443594362fb476e51653a1b253e367889989dd4dc5988fa3b73ec88e5b00fdbe462e38e46c303baa2ffba26f9047876ca4bfc6b3f1a1263739286d0c16a062b

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
85a754c71ed3bff7699d646f84bf7ed4

SHA1
21369d13f6e7ee1ae357c4782427aa3efb702914

SHA256
3270602c4180c5852729667323899773bb6aed20cfd8009d92300c61f86949ac

SHA512
6443594362fb476e51653a1b253e367889989dd4dc5988fa3b73ec88e5b00fdbe462e38e46c303baa2ffba26f9047876ca4bfc6b3f1a1263739286d0c16a062b

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
85a754c71ed3bff7699d646f84bf7ed4

SHA1
21369d13f6e7ee1ae357c4782427aa3efb702914

SHA256
3270602c4180c5852729667323899773bb6aed20cfd8009d92300c61f86949ac

SHA512
6443594362fb476e51653a1b253e367889989dd4dc5988fa3b73ec88e5b00fdbe462e38e46c303baa2ffba26f9047876ca4bfc6b3f1a1263739286d0c16a062b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e6c7d5762c3cdcfb416c36c1a6aec15f

SHA1
442cf1cc31390b20c13f9a7ebc430f2030bf165c

SHA256
f056e0c7ef9fff5838ccdf2754931761839552b36b99997cb6d9fb10770606d4

SHA512
54d9926d4addf5f48a66623c19b4ad019ea1325e468e412e4c3042adc005b79d0344c06a189cf34ffd8401391904249d61f411be166c25984170e74e518e23f2

Download Submit
memory/1224-54-0x0000000000000000-mapping.dmp

Download
memory/1224-55-0x0000000076291000-0x0000000076293000-memory.dmp

Filesize
8KB

Download
memory/1364-56-0x0000000000000000-mapping.dmp

Download
memory/1364-59-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1364-65-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1788-63-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1788-66-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads