wannacry | dc91b3c7e34025c093ace464aea3c2ce961c90032a61d8b861f35423b2784fcb

General

Target

7cf21cdad3e9afe55c93277c8a6bdf05.dll
Size

5.0MB
MD5

7cf21cdad3e9afe55c93277c8a6bdf05
SHA1

62b524d643680feb04e3b779236852f05204b0b5
SHA256

dc91b3c7e34025c093ace464aea3c2ce961c90032a61d8b861f35423b2784fcb
SHA512

159cb8929ca242dd03bd40c6041c0f2554ddf18c6e4442c70e7b2c906dda5590482867b3673c1550c57530581c30091431d44864a02f4b9dc4c9aa371480d3d9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1912 mssecsvc.exe
1720 mssecsvc.exe
832 tasksche.exe

pid	process
1912	mssecsvc.exe
1720	mssecsvc.exe
832	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\WpadDecisionTime = 1056d15be79bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\26-23-c3-8c-41-59	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-23-c3-8c-41-59\WpadDecisionTime = 1056d15be79bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-23-c3-8c-41-59\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-23-c3-8c-41-59	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-23-c3-8c-41-59\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 752 wrote to memory of 336	752	rundll32.exe	rundll32.exe
PID 336 wrote to memory of 1912	336	rundll32.exe	mssecsvc.exe
PID 336 wrote to memory of 1912	336	rundll32.exe	mssecsvc.exe
PID 336 wrote to memory of 1912	336	rundll32.exe	mssecsvc.exe
PID 336 wrote to memory of 1912	336	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7cf21cdad3e9afe55c93277c8a6bdf05.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7cf21cdad3e9afe55c93277c8a6bdf05.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:336

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:832

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
487517773cf300fa7aec3e686fb5f239

SHA1
15bde3458a80106ce367774ad51f210d7a83ed16

SHA256
c16ea664482d60d4709e7adf66c20a1bd0e7770c2b16f1c7b4eccb9802ebe8c3

SHA512
da5a8cd79586a0acb3906be6e28655f95c1484aa49810ef9faaee6d39d2c67630c3861b4aaad43c483fa9035fb8f8a20a94751ac065928cb578eca3cdbf59a68

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
487517773cf300fa7aec3e686fb5f239

SHA1
15bde3458a80106ce367774ad51f210d7a83ed16

SHA256
c16ea664482d60d4709e7adf66c20a1bd0e7770c2b16f1c7b4eccb9802ebe8c3

SHA512
da5a8cd79586a0acb3906be6e28655f95c1484aa49810ef9faaee6d39d2c67630c3861b4aaad43c483fa9035fb8f8a20a94751ac065928cb578eca3cdbf59a68

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
487517773cf300fa7aec3e686fb5f239

SHA1
15bde3458a80106ce367774ad51f210d7a83ed16

SHA256
c16ea664482d60d4709e7adf66c20a1bd0e7770c2b16f1c7b4eccb9802ebe8c3

SHA512
da5a8cd79586a0acb3906be6e28655f95c1484aa49810ef9faaee6d39d2c67630c3861b4aaad43c483fa9035fb8f8a20a94751ac065928cb578eca3cdbf59a68

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
8728773b11617f5823f8bd3824bdd40d

SHA1
94e25218bbc2c748797d22d610ecc08f3b03d94d

SHA256
e39123f4e7c1b2cbc62e1a79d0b396c48f894c6f82f978a519cf23d77c0c77c1

SHA512
9f93aebce8d2502ac0591f0b0f2fe49924cd0a2fe04faace50931b46f5901c570f313e9b4a8136ec169a1cd494f05a0bd1db280a8b7e4763ea8bb269be1a658a

Download Submit
memory/336-54-0x0000000000000000-mapping.dmp

Download
memory/336-55-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1912-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads