wannacry | f7a244b2769935910f368021c1cb123f72b3822ab6a3f844e9169b1cf100da22

General

Target

6ac6507b0b0b519d15e3724721675d0c.dll
Size

5.0MB
MD5

6ac6507b0b0b519d15e3724721675d0c
SHA1

1c41949e4e84d84b7f827d3bf9ff0d5f154c195b
SHA256

f7a244b2769935910f368021c1cb123f72b3822ab6a3f844e9169b1cf100da22
SHA512

29d98c34e2543bcce8b3229afc8361cb9dff1f97076fd7c1e9f0ed4c95335d8c016c61e9b502d59969f956f071ed59b42a76931a3c2b59aedc26ba31aee55c07

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1226) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

952 mssecsvr.exe
1220 mssecsvr.exe
760 tasksche.exe

pid	process
952	mssecsvr.exe
1220	mssecsvr.exe
760	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 4 IoCs

Processes:

rundll32.exemssecsvr.exetasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_7077281	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadNetworkName = "Network 3"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\be-58-1e-83-6e-6a	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a\WpadDecisionTime = 80ffb77ee79bd801	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-1e-83-6e-6a\WpadDecisionReason = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadDecision = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E3374F0-2B66-4E89-B939-F3C51C980197}\WpadDecisionTime = 80ffb77ee79bd801	mssecsvr.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exe

description	pid	process	target process
PID 1964 wrote to memory of 1732	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1732	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1732	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1732	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1732	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1732	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1732	1964	rundll32.exe	rundll32.exe
PID 1732 wrote to memory of 952	1732	rundll32.exe	mssecsvr.exe
PID 1732 wrote to memory of 952	1732	rundll32.exe	mssecsvr.exe
PID 1732 wrote to memory of 952	1732	rundll32.exe	mssecsvr.exe
PID 1732 wrote to memory of 952	1732	rundll32.exe	mssecsvr.exe
PID 952 wrote to memory of 760	952	mssecsvr.exe	tasksche.exe
PID 952 wrote to memory of 760	952	mssecsvr.exe	tasksche.exe
PID 952 wrote to memory of 760	952	mssecsvr.exe	tasksche.exe
PID 952 wrote to memory of 760	952	mssecsvr.exe	tasksche.exe
PID 952 wrote to memory of 760	952	mssecsvr.exe	tasksche.exe
PID 952 wrote to memory of 760	952	mssecsvr.exe	tasksche.exe
PID 952 wrote to memory of 760	952	mssecsvr.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac6507b0b0b519d15e3724721675d0c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac6507b0b0b519d15e3724721675d0c.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1732

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:952

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:760

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
c1a66896851931d109534feb0bfee6c3

SHA1
0c48c9ae51826781ab3d7fb530e11d315617f0bf

SHA256
69715de14478ab04f62ab2f386c6b6835f3156cb931baa6c6cf4d5a6ebd6dca6

SHA512
e312adef421d1bd704322a1ee61087b33f4f83d429f19f2c3c5f133bbc9f3c4b29890d08a14c1759a2662e143b38d1796373820cb9d1c3e63dd913ff59200c37

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
2.0MB

MD5
a7c2674187556e355208e61a88be97a1

SHA1
c3a06f5022c108ac279b04bd8542f693cfaf795d

SHA256
a7a524bb861b7faa5bc98637dbe9b995f9ac2cd27e19d3f6babefda6a150a8fd

SHA512
cb380a0d2aac56bb13f337a65b68a2ecb8f677b83fe38e6c23ee69877aff3198b34265b186cf47ebe2008340a3fb4cb18179c4b8cc6ed978b5d84acecd5db8fb

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
c1a66896851931d109534feb0bfee6c3

SHA1
0c48c9ae51826781ab3d7fb530e11d315617f0bf

SHA256
69715de14478ab04f62ab2f386c6b6835f3156cb931baa6c6cf4d5a6ebd6dca6

SHA512
e312adef421d1bd704322a1ee61087b33f4f83d429f19f2c3c5f133bbc9f3c4b29890d08a14c1759a2662e143b38d1796373820cb9d1c3e63dd913ff59200c37

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
c1a66896851931d109534feb0bfee6c3

SHA1
0c48c9ae51826781ab3d7fb530e11d315617f0bf

SHA256
69715de14478ab04f62ab2f386c6b6835f3156cb931baa6c6cf4d5a6ebd6dca6

SHA512
e312adef421d1bd704322a1ee61087b33f4f83d429f19f2c3c5f133bbc9f3c4b29890d08a14c1759a2662e143b38d1796373820cb9d1c3e63dd913ff59200c37

Download Submit
C:\Windows\tasksche.exe
Filesize
2.0MB

MD5
a7c2674187556e355208e61a88be97a1

SHA1
c3a06f5022c108ac279b04bd8542f693cfaf795d

SHA256
a7a524bb861b7faa5bc98637dbe9b995f9ac2cd27e19d3f6babefda6a150a8fd

SHA512
cb380a0d2aac56bb13f337a65b68a2ecb8f677b83fe38e6c23ee69877aff3198b34265b186cf47ebe2008340a3fb4cb18179c4b8cc6ed978b5d84acecd5db8fb

Download Submit
memory/760-62-0x0000000000000000-mapping.dmp

Download
memory/952-56-0x0000000000000000-mapping.dmp

Download
memory/1732-54-0x0000000000000000-mapping.dmp

Download
memory/1732-55-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads