wannacry | 8b4cbe2178443b6850797809888a8034ec392f7da4cdfa101405e8089fd79904

General

Target

150e4b841fe23355e211a194d1651b05.dll
Size

5.0MB
MD5

150e4b841fe23355e211a194d1651b05
SHA1

5f4b745fccc00deda14c9734a7d674c544988974
SHA256

8b4cbe2178443b6850797809888a8034ec392f7da4cdfa101405e8089fd79904
SHA512

696b033baedbb1f57bc7136389c5fd3de580c36483acb1c7e9409504a9c668828950b733a1db79687da1ccb93bb6d29d28f667060be50a075d25307a17f2b845

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1148 mssecsvc.exe
1208 mssecsvc.exe
920 tasksche.exe

pid	process
1148	mssecsvc.exe
1208	mssecsvc.exe
920	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecisionTime = f0948b6aeb9bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\4a-be-6e-b9-73-90	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecisionTime = f0948b6aeb9bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadNetworkName = "Network 3"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 892 wrote to memory of 1816	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1816	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1816	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1816	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1816	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1816	892	rundll32.exe	rundll32.exe
PID 892 wrote to memory of 1816	892	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1148	1816	rundll32.exe	mssecsvc.exe
PID 1816 wrote to memory of 1148	1816	rundll32.exe	mssecsvc.exe
PID 1816 wrote to memory of 1148	1816	rundll32.exe	mssecsvc.exe
PID 1816 wrote to memory of 1148	1816	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\150e4b841fe23355e211a194d1651b05.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\150e4b841fe23355e211a194d1651b05.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1816

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1148

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:920

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
ff29ff8a954add4f54bf23039ec9e41c

SHA1
95350e9107d77589c9822f105eee33f64c68af85

SHA256
f44c080cbe80e219a2fdbe1c1f1cd91d9fbebf364c256552029d5f6089b1ae6a

SHA512
a67ec38804fd7dce4b64e54187f5fb4706e5c0f5db7d219c6d41b240765afd2b26f662fc1b7aef085b0eefe51bce498e6b6e3579ec3a6532a96cceea3d0575c0

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ff29ff8a954add4f54bf23039ec9e41c

SHA1
95350e9107d77589c9822f105eee33f64c68af85

SHA256
f44c080cbe80e219a2fdbe1c1f1cd91d9fbebf364c256552029d5f6089b1ae6a

SHA512
a67ec38804fd7dce4b64e54187f5fb4706e5c0f5db7d219c6d41b240765afd2b26f662fc1b7aef085b0eefe51bce498e6b6e3579ec3a6532a96cceea3d0575c0

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ff29ff8a954add4f54bf23039ec9e41c

SHA1
95350e9107d77589c9822f105eee33f64c68af85

SHA256
f44c080cbe80e219a2fdbe1c1f1cd91d9fbebf364c256552029d5f6089b1ae6a

SHA512
a67ec38804fd7dce4b64e54187f5fb4706e5c0f5db7d219c6d41b240765afd2b26f662fc1b7aef085b0eefe51bce498e6b6e3579ec3a6532a96cceea3d0575c0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ea5f3c4c30dcf0b1080f374c4ce9e973

SHA1
d3f5cefddb160ee8ae3eb72f802d52c7de923056

SHA256
e2e7326877fae0ff5ab917853d9d37cf4c15dd1908d53d65c4b93b3bd983c06d

SHA512
8df561603aeb276088bc5dfabfa320c938a9ac6b5e46fd6357604c7e00defa7a59ab44f201d6175ac39e16a343981b99f2a969ff88cc392126bebe51faa2e110

Download Submit
memory/1148-56-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x0000000000000000-mapping.dmp

Download
memory/1816-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads