wannacry | ec29f4db6e43c8bfad91f4d2910c6db42b975d33f7a51c69ea9e0dc9d400584f

General

Target

4c35693cadb792e90bdddc8380b842c5.dll
Size

5.0MB
MD5

4c35693cadb792e90bdddc8380b842c5
SHA1

746a147d80ad18a14675cd3ac6ab36732b005993
SHA256

ec29f4db6e43c8bfad91f4d2910c6db42b975d33f7a51c69ea9e0dc9d400584f
SHA512

74ae721343082477fc09ef865d595c2150b085bea7e935e52587946da0ac0f54296a85cacdd37c9b70518668ffaf55012e8f21feade02a433363217d92544630

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3079) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

5000 mssecsvc.exe
2192 mssecsvc.exe
1516 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3972 1516 WerFault.exe tasksche.exe
2232 1516 WerFault.exe tasksche.exe

pid	process
5000	mssecsvc.exe
2192	mssecsvc.exe
1516	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
3972	1516	WerFault.exe	tasksche.exe
2232	1516	WerFault.exe	tasksche.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 4952 wrote to memory of 4988	4952	rundll32.exe	rundll32.exe
PID 4952 wrote to memory of 4988	4952	rundll32.exe	rundll32.exe
PID 4952 wrote to memory of 4988	4952	rundll32.exe	rundll32.exe
PID 4988 wrote to memory of 5000	4988	rundll32.exe	mssecsvc.exe
PID 4988 wrote to memory of 5000	4988	rundll32.exe	mssecsvc.exe
PID 4988 wrote to memory of 5000	4988	rundll32.exe	mssecsvc.exe
PID 5000 wrote to memory of 1516	5000	mssecsvc.exe	tasksche.exe
PID 5000 wrote to memory of 1516	5000	mssecsvc.exe	tasksche.exe
PID 5000 wrote to memory of 1516	5000	mssecsvc.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c35693cadb792e90bdddc8380b842c5.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c35693cadb792e90bdddc8380b842c5.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4988

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5000

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 224
5⤵
- Program crash
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 244
5⤵
- Program crash
PID:2232

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1516 -ip 1516
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1516 -ip 1516
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
4e9e7d540c73d79a641299c02154a342

SHA1
259a5feb4e5032d32474042aad4e3444da12df1d

SHA256
52f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5

SHA512
770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
3.4MB

MD5
05b62993be8f2411988da09e828ea3a9

SHA1
a211ce025d3f266f8e60dbb5985d6b6bc6fbd795

SHA256
e1e1d0a7b950fee4294a3e8b8c944e215d9c9cd1aa718cc87d48c2bc2f71d149

SHA512
0fd8b0d191e1ef44da171bf261532394a87d5c766c49979f5061bd68d42452e741f9c6ae3dad6ff301db1c5069e533e63f6a976398c782da79b194f8da5e5559

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
4e9e7d540c73d79a641299c02154a342

SHA1
259a5feb4e5032d32474042aad4e3444da12df1d

SHA256
52f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5

SHA512
770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
4e9e7d540c73d79a641299c02154a342

SHA1
259a5feb4e5032d32474042aad4e3444da12df1d

SHA256
52f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5

SHA512
770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
05b62993be8f2411988da09e828ea3a9

SHA1
a211ce025d3f266f8e60dbb5985d6b6bc6fbd795

SHA256
e1e1d0a7b950fee4294a3e8b8c944e215d9c9cd1aa718cc87d48c2bc2f71d149

SHA512
0fd8b0d191e1ef44da171bf261532394a87d5c766c49979f5061bd68d42452e741f9c6ae3dad6ff301db1c5069e533e63f6a976398c782da79b194f8da5e5559

Download Submit
memory/1516-135-0x0000000000000000-mapping.dmp

Download
memory/4988-130-0x0000000000000000-mapping.dmp

Download
memory/5000-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing