wannacry | 226b3f09c308afa4dd4643ce807ceb8214bfe0e4238be6a776f31acd9cbeaf21

General

Target

e46efeb5217e2d4bc9b9d28bcf80f3b6.dll
Size

5.0MB
MD5

e46efeb5217e2d4bc9b9d28bcf80f3b6
SHA1

1a42ab2977b67967a3cbdc0ace3ababd76d049b5
SHA256

226b3f09c308afa4dd4643ce807ceb8214bfe0e4238be6a776f31acd9cbeaf21
SHA512

41244f203bc5d206e5d7b81bcc619860e7abbdc448b9c5b5e5b02dd344613eaa70d2e3f22008468437b29501f968226aacd946b4212cb1c0eccb5de0ca4c7982

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1303) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1968 mssecsvc.exe
1652 mssecsvc.exe
1596 tasksche.exe

pid	process
1968	mssecsvc.exe
1652	mssecsvc.exe
1596	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1148	2004	rundll32.exe	rundll32.exe
PID 1148 wrote to memory of 1968	1148	rundll32.exe	mssecsvc.exe
PID 1148 wrote to memory of 1968	1148	rundll32.exe	mssecsvc.exe
PID 1148 wrote to memory of 1968	1148	rundll32.exe	mssecsvc.exe
PID 1148 wrote to memory of 1968	1148	rundll32.exe	mssecsvc.exe
PID 1968 wrote to memory of 1596	1968	mssecsvc.exe	tasksche.exe
PID 1968 wrote to memory of 1596	1968	mssecsvc.exe	tasksche.exe
PID 1968 wrote to memory of 1596	1968	mssecsvc.exe	tasksche.exe
PID 1968 wrote to memory of 1596	1968	mssecsvc.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e46efeb5217e2d4bc9b9d28bcf80f3b6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e46efeb5217e2d4bc9b9d28bcf80f3b6.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1596

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
fa5998e94530ad9f75734f4a33e47b59

SHA1
302b9ec84a6c783fdcecb5a013bdb39770d533a1

SHA256
02c77661bf747f40ee9979dbd44885df8b337b9e4a546f385855343ba5a92c5c

SHA512
466cb61e6bbf06b612f924e818e9a0101ae72cda214ded01175b9396a7d379efc17e5115c3c1babcd85656324a7b284acfa622e140714863ba8376150850062b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
fa5998e94530ad9f75734f4a33e47b59

SHA1
302b9ec84a6c783fdcecb5a013bdb39770d533a1

SHA256
02c77661bf747f40ee9979dbd44885df8b337b9e4a546f385855343ba5a92c5c

SHA512
466cb61e6bbf06b612f924e818e9a0101ae72cda214ded01175b9396a7d379efc17e5115c3c1babcd85656324a7b284acfa622e140714863ba8376150850062b

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
fa5998e94530ad9f75734f4a33e47b59

SHA1
302b9ec84a6c783fdcecb5a013bdb39770d533a1

SHA256
02c77661bf747f40ee9979dbd44885df8b337b9e4a546f385855343ba5a92c5c

SHA512
466cb61e6bbf06b612f924e818e9a0101ae72cda214ded01175b9396a7d379efc17e5115c3c1babcd85656324a7b284acfa622e140714863ba8376150850062b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
1fa618bc1133f2933c5fb144de693db1

SHA1
c5489b50f7816213d62f8a7bc5c3fd56ee36351f

SHA256
4c3932c024d000297e5dd33567e8fa05ebd42defbd4d63423106b4e686696962

SHA512
a9de952fa3b59f5eef0b1673faff07b324803730096047dbeac1e24837dd6469e6d7cd1aa7d2cf56f0194a5d2e37ea2bfab0749d52ac00e3a0b12299f935a324

Download Submit
memory/1148-54-0x0000000000000000-mapping.dmp

Download
memory/1148-55-0x00000000765D1000-0x00000000765D3000-memory.dmp

Filesize
8KB

Download
memory/1596-63-0x0000000000000000-mapping.dmp

Download
memory/1652-66-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1652-67-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1968-56-0x0000000000000000-mapping.dmp

Download
memory/1968-59-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download
memory/1968-65-0x0000000000400000-0x0000000000A70000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing