wannacry | f3556ad1ba65d37716611a9e5878235ce20adcc41d7d99157fbb735098a95449

General

Target

b12ae9ed4b33c4dcff12b16c64a8b8c3.dll
Size

5.0MB
MD5

b12ae9ed4b33c4dcff12b16c64a8b8c3
SHA1

8117bccc6a6361565660f8fbfb459cb35402647e
SHA256

f3556ad1ba65d37716611a9e5878235ce20adcc41d7d99157fbb735098a95449
SHA512

4efb484a564ba530a0702bbb7fc6a24093d6079d71cf5e110cb8f174bde12bc93a57be0ccb40f6e2f1f01cea3d9d548b59ff1500be701e859f9b820854017ff8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1656 mssecsvc.exe
1484 mssecsvc.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\9a-07-c5-c5-06-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecisionTime = 30ff5d15e79bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecisionTime = 30ff5d15e79bd801	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1656 mssecsvc.exe
1484 mssecsvc.exe

Suspicious behavior: MapViewOfSection 44 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1656	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe
1484	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 1656 mssecsvc.exe
Token: SeDebugPrivilege 1484 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	1656	mssecsvc.exe
Token: SeDebugPrivilege	1484	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1976 wrote to memory of 896	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 896	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 896	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 896	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 896	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 896	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 896	1976	rundll32.exe	rundll32.exe
PID 896 wrote to memory of 1656	896	rundll32.exe	mssecsvc.exe
PID 896 wrote to memory of 1656	896	rundll32.exe	mssecsvc.exe
PID 896 wrote to memory of 1656	896	rundll32.exe	mssecsvc.exe
PID 896 wrote to memory of 1656	896	rundll32.exe	mssecsvc.exe
PID 1656 wrote to memory of 368	1656	mssecsvc.exe	wininit.exe
PID 1656 wrote to memory of 368	1656	mssecsvc.exe	wininit.exe
PID 1656 wrote to memory of 368	1656	mssecsvc.exe	wininit.exe
PID 1656 wrote to memory of 368	1656	mssecsvc.exe	wininit.exe
PID 1656 wrote to memory of 368	1656	mssecsvc.exe	wininit.exe
PID 1656 wrote to memory of 368	1656	mssecsvc.exe	wininit.exe
PID 1656 wrote to memory of 368	1656	mssecsvc.exe	wininit.exe
PID 1656 wrote to memory of 380	1656	mssecsvc.exe	csrss.exe
PID 1656 wrote to memory of 380	1656	mssecsvc.exe	csrss.exe
PID 1656 wrote to memory of 380	1656	mssecsvc.exe	csrss.exe
PID 1656 wrote to memory of 380	1656	mssecsvc.exe	csrss.exe
PID 1656 wrote to memory of 380	1656	mssecsvc.exe	csrss.exe
PID 1656 wrote to memory of 380	1656	mssecsvc.exe	csrss.exe
PID 1656 wrote to memory of 380	1656	mssecsvc.exe	csrss.exe
PID 1656 wrote to memory of 416	1656	mssecsvc.exe	winlogon.exe
PID 1656 wrote to memory of 416	1656	mssecsvc.exe	winlogon.exe
PID 1656 wrote to memory of 416	1656	mssecsvc.exe	winlogon.exe
PID 1656 wrote to memory of 416	1656	mssecsvc.exe	winlogon.exe
PID 1656 wrote to memory of 416	1656	mssecsvc.exe	winlogon.exe
PID 1656 wrote to memory of 416	1656	mssecsvc.exe	winlogon.exe
PID 1656 wrote to memory of 416	1656	mssecsvc.exe	winlogon.exe
PID 1656 wrote to memory of 460	1656	mssecsvc.exe	services.exe
PID 1656 wrote to memory of 460	1656	mssecsvc.exe	services.exe
PID 1656 wrote to memory of 460	1656	mssecsvc.exe	services.exe
PID 1656 wrote to memory of 460	1656	mssecsvc.exe	services.exe
PID 1656 wrote to memory of 460	1656	mssecsvc.exe	services.exe
PID 1656 wrote to memory of 460	1656	mssecsvc.exe	services.exe
PID 1656 wrote to memory of 460	1656	mssecsvc.exe	services.exe
PID 1656 wrote to memory of 476	1656	mssecsvc.exe	lsass.exe
PID 1656 wrote to memory of 476	1656	mssecsvc.exe	lsass.exe
PID 1656 wrote to memory of 476	1656	mssecsvc.exe	lsass.exe
PID 1656 wrote to memory of 476	1656	mssecsvc.exe	lsass.exe
PID 1656 wrote to memory of 476	1656	mssecsvc.exe	lsass.exe
PID 1656 wrote to memory of 476	1656	mssecsvc.exe	lsass.exe
PID 1656 wrote to memory of 476	1656	mssecsvc.exe	lsass.exe
PID 1656 wrote to memory of 484	1656	mssecsvc.exe	lsm.exe
PID 1656 wrote to memory of 484	1656	mssecsvc.exe	lsm.exe
PID 1656 wrote to memory of 484	1656	mssecsvc.exe	lsm.exe
PID 1656 wrote to memory of 484	1656	mssecsvc.exe	lsm.exe
PID 1656 wrote to memory of 484	1656	mssecsvc.exe	lsm.exe
PID 1656 wrote to memory of 484	1656	mssecsvc.exe	lsm.exe
PID 1656 wrote to memory of 484	1656	mssecsvc.exe	lsm.exe
PID 1656 wrote to memory of 588	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 588	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 588	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 588	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 588	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 588	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 588	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 664	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 664	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 664	1656	mssecsvc.exe	svchost.exe
PID 1656 wrote to memory of 664	1656	mssecsvc.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1160

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1040

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:324

C:\Windows\system32\wininit.exe
wininit.exe
3⤵
PID:368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
3⤵
PID:1276

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1996

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b12ae9ed4b33c4dcff12b16c64a8b8c3.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b12ae9ed4b33c4dcff12b16c64a8b8c3.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:896

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\MSSECSVC.EXE
Filesize
3.6MB

MD5
0e15647159daedbe07822b6f72676d01

SHA1
21fb5ae3f42fde4e681adc70b49a53b3a8b40bb5

SHA256
d161364ae27218f3349a0e751b4aa40e3ab08fc09b1109bcce437c0e0478364b

SHA512
dc9b54d4245f2d46c5e7fb0fb5f373bc303f8bbfda82368b407a46caf03223c3e4cb3d8a1e32ce22e8dd72adce05dbf2abbe87f042f5e00352137411f4907fd3

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0e15647159daedbe07822b6f72676d01

SHA1
21fb5ae3f42fde4e681adc70b49a53b3a8b40bb5

SHA256
d161364ae27218f3349a0e751b4aa40e3ab08fc09b1109bcce437c0e0478364b

SHA512
dc9b54d4245f2d46c5e7fb0fb5f373bc303f8bbfda82368b407a46caf03223c3e4cb3d8a1e32ce22e8dd72adce05dbf2abbe87f042f5e00352137411f4907fd3

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0e15647159daedbe07822b6f72676d01

SHA1
21fb5ae3f42fde4e681adc70b49a53b3a8b40bb5

SHA256
d161364ae27218f3349a0e751b4aa40e3ab08fc09b1109bcce437c0e0478364b

SHA512
dc9b54d4245f2d46c5e7fb0fb5f373bc303f8bbfda82368b407a46caf03223c3e4cb3d8a1e32ce22e8dd72adce05dbf2abbe87f042f5e00352137411f4907fd3

Download Submit
memory/896-54-0x0000000000000000-mapping.dmp

Download
memory/896-55-0x0000000075301000-0x0000000075303000-memory.dmp

Filesize
8KB

Download
memory/1484-61-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1484-66-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1656-56-0x0000000000000000-mapping.dmp

Download
memory/1656-62-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1656-64-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1656-65-0x000000007EF80000-0x000000007EF8A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads