wannacry | 1616ac5ea843d3c16cc332eef4b910fddf5cab1c9f6e98fe17a87bbf8f3c15ce

General

Target

43b8bb691f84c4ec8b4030f251681bcb.dll
Size

5.0MB
MD5

43b8bb691f84c4ec8b4030f251681bcb
SHA1

088dcb05085bd3228f55c0feb15d5ace31ca4ad8
SHA256

1616ac5ea843d3c16cc332eef4b910fddf5cab1c9f6e98fe17a87bbf8f3c15ce
SHA512

60f904f3dfceb48ae2479f4866d55e575091f70de622c78a1e15fa4fb5b293e5951822c936f0dc867c92472aba26a74d6c437299be7854badfb4d0030018887b

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1271) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1656 mssecsvc.exe
340 mssecsvc.exe
560 tasksche.exe

pid	process
1656	mssecsvc.exe
340	mssecsvc.exe
560	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecisionTime = c0740e1ae69bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\9a-07-c5-c5-06-77	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecisionTime = c0740e1ae69bd801	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1948 wrote to memory of 1752	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1752	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1752	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1752	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1752	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1752	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1752	1948	rundll32.exe	rundll32.exe
PID 1752 wrote to memory of 1656	1752	rundll32.exe	mssecsvc.exe
PID 1752 wrote to memory of 1656	1752	rundll32.exe	mssecsvc.exe
PID 1752 wrote to memory of 1656	1752	rundll32.exe	mssecsvc.exe
PID 1752 wrote to memory of 1656	1752	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\43b8bb691f84c4ec8b4030f251681bcb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\43b8bb691f84c4ec8b4030f251681bcb.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1656

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:560

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
0a5223e227654339ebcc279a17b57ad0

SHA1
54964ea82b546bca05219fba0c359480f4e16e47

SHA256
9e7ec63682777109e85948cea01bd2eeb708541ec41c86055faef9d29da3b32b

SHA512
f583bd7b4f266653a76b329f490ddf9fab1f42edc6e6493263cffad2de518ffda660306294c689dda6ced03a182b0aef58821553b0a26b3b89e507d5bebba57d

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0a5223e227654339ebcc279a17b57ad0

SHA1
54964ea82b546bca05219fba0c359480f4e16e47

SHA256
9e7ec63682777109e85948cea01bd2eeb708541ec41c86055faef9d29da3b32b

SHA512
f583bd7b4f266653a76b329f490ddf9fab1f42edc6e6493263cffad2de518ffda660306294c689dda6ced03a182b0aef58821553b0a26b3b89e507d5bebba57d

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0a5223e227654339ebcc279a17b57ad0

SHA1
54964ea82b546bca05219fba0c359480f4e16e47

SHA256
9e7ec63682777109e85948cea01bd2eeb708541ec41c86055faef9d29da3b32b

SHA512
f583bd7b4f266653a76b329f490ddf9fab1f42edc6e6493263cffad2de518ffda660306294c689dda6ced03a182b0aef58821553b0a26b3b89e507d5bebba57d

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
0fca8a8f7a034f96c28820ee6f9dcdc8

SHA1
f3e7fd687ba1522067bdae885ea9550c02413cec

SHA256
26a87ddd5c320a71b2326f8ecd20caa0065cd055825c8df6c0e49a91efaa6a47

SHA512
09899b15e17004ca7ea1f3e3500d98588491c4c68c98f1faee599c81d6424cfe5ca580889a9ed5d69c004c475a98bfc4770123af1dd0e601dad4f0915accb894

Download Submit
memory/1656-56-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000000000000-mapping.dmp

Download
memory/1752-55-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads