wannacry | 55232d804aa5343e8247164b7d0b000ad5600437ab3a4314f35782e84abdeee5

General

Target

a7aaf623771619d8fa6ad2f4cbe119d0.dll
Size

5.0MB
MD5

a7aaf623771619d8fa6ad2f4cbe119d0
SHA1

6fe61fd0720ce969d5c3067d9ac46c014548167e
SHA256

55232d804aa5343e8247164b7d0b000ad5600437ab3a4314f35782e84abdeee5
SHA512

4f8311f09539c4fc0b588e667d8b3b5a6f57f16eb1c7862c249aa15cecef7c53a26a6163cece97b5da6f4a21779939aa6a1bf533dd9959e4b58970c7aaa6517f

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2032 mssecsvc.exe
1316 mssecsvc.exe
1504 tasksche.exe

pid	process
2032	mssecsvc.exe
1316	mssecsvc.exe
1504	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2b-8b-7a-05-32	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\52-2b-8b-7a-05-32	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2b-8b-7a-05-32\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2b-8b-7a-05-32\WpadDecisionTime = 90a334f9eb9bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2b-8b-7a-05-32\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\WpadDecisionTime = 90a334f9eb9bd801	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 2032	968	rundll32.exe	mssecsvc.exe
PID 968 wrote to memory of 2032	968	rundll32.exe	mssecsvc.exe
PID 968 wrote to memory of 2032	968	rundll32.exe	mssecsvc.exe
PID 968 wrote to memory of 2032	968	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7aaf623771619d8fa6ad2f4cbe119d0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7aaf623771619d8fa6ad2f4cbe119d0.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:968

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1504

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
d3be19db91d0b09b01c79f3ca4b0a5a6

SHA1
3494b7ed07b5342c282591244ab27013121ef40b

SHA256
53421bca7e187e9e3c6ba751c0986918e04cd34299a8d610447fa6b7ec24281b

SHA512
b5f9775513a91d1914ea6fa5c54b9095cfe23a73556d4b22789b69054e6ce97dcbd49fcbc584fa759d836b97c7b29cfc78bd28fd3031373447efd7138a065dc0

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d3be19db91d0b09b01c79f3ca4b0a5a6

SHA1
3494b7ed07b5342c282591244ab27013121ef40b

SHA256
53421bca7e187e9e3c6ba751c0986918e04cd34299a8d610447fa6b7ec24281b

SHA512
b5f9775513a91d1914ea6fa5c54b9095cfe23a73556d4b22789b69054e6ce97dcbd49fcbc584fa759d836b97c7b29cfc78bd28fd3031373447efd7138a065dc0

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d3be19db91d0b09b01c79f3ca4b0a5a6

SHA1
3494b7ed07b5342c282591244ab27013121ef40b

SHA256
53421bca7e187e9e3c6ba751c0986918e04cd34299a8d610447fa6b7ec24281b

SHA512
b5f9775513a91d1914ea6fa5c54b9095cfe23a73556d4b22789b69054e6ce97dcbd49fcbc584fa759d836b97c7b29cfc78bd28fd3031373447efd7138a065dc0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
31165000c5ef31d89c39a7cc1a7d08f0

SHA1
ea7518610f29c524ae49b4bab97524e76b0ebe3f

SHA256
cc3128647df24a9d506884d9929fee707dc4ee68b6b3d5bb3def9c98d435a83a

SHA512
ebbf5d84a0f1792b0cc877b08dddb38042054a387eb5e9dd85b039e6b7c04727d81ba0506763584a1edfca660133de955206cebf30588de6fd6a8ac8e5c843b3

Download Submit
memory/968-54-0x0000000000000000-mapping.dmp

Download
memory/968-55-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads