wannacry | 3171e1fe25a2035dbd8233e852296c92c3651b5fcfc98ce1308ac6a2eed2cda1

General

Target

ffafe05991d988d69f994b0b863b32b9.dll
Size

5.0MB
MD5

ffafe05991d988d69f994b0b863b32b9
SHA1

d9a49bbf1f071a7b68883d4b8389219c71508ce7
SHA256

3171e1fe25a2035dbd8233e852296c92c3651b5fcfc98ce1308ac6a2eed2cda1
SHA512

9f7536d14e1f0a5d531bfbf19d4eeb5235067d4a5c2a5e09b384c3daf4beb1f6416eb267bc7c2d10015abb2c087fb373108261c0fd21421ab4367cfcfbca70c5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1246) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

2000 mssecsvr.exe
940 mssecsvr.exe

pid	process
2000	mssecsvr.exe
940	mssecsvr.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\06-b3-e2-21-6b-68	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-b3-e2-21-6b-68\WpadDecision = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\WpadNetworkName = "Network 3"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-b3-e2-21-6b-68	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-b3-e2-21-6b-68\WpadDecisionTime = 80ab86bbe99bd801	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\WpadDecisionTime = 80ab86bbe99bd801	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-b3-e2-21-6b-68\WpadDecisionReason = "1"	mssecsvr.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1392 wrote to memory of 1652	1392	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1652	1392	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1652	1392	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1652	1392	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1652	1392	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1652	1392	rundll32.exe	rundll32.exe
PID 1392 wrote to memory of 1652	1392	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 2000	1652	rundll32.exe	mssecsvr.exe
PID 1652 wrote to memory of 2000	1652	rundll32.exe	mssecsvr.exe
PID 1652 wrote to memory of 2000	1652	rundll32.exe	mssecsvr.exe
PID 1652 wrote to memory of 2000	1652	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffafe05991d988d69f994b0b863b32b9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffafe05991d988d69f994b0b863b32b9.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2000

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
22e4d9f8f001126d45501a8d77428958

SHA1
4e473d551ce945e3141b3178cc92867967c3b9d9

SHA256
59eafc3be537a8e784d1ab27a4c42f75bc3c1f7ec01136b0b55b3c4a84b7441a

SHA512
51622ca081afcc5f423d7d3f582ffb0740324c78275b55ec3a660550c9ffc26dfa7388d13abc0e19685dd5baa7677d20c2146dc2567b5d48556723d7e1ff9c21

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
22e4d9f8f001126d45501a8d77428958

SHA1
4e473d551ce945e3141b3178cc92867967c3b9d9

SHA256
59eafc3be537a8e784d1ab27a4c42f75bc3c1f7ec01136b0b55b3c4a84b7441a

SHA512
51622ca081afcc5f423d7d3f582ffb0740324c78275b55ec3a660550c9ffc26dfa7388d13abc0e19685dd5baa7677d20c2146dc2567b5d48556723d7e1ff9c21

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
22e4d9f8f001126d45501a8d77428958

SHA1
4e473d551ce945e3141b3178cc92867967c3b9d9

SHA256
59eafc3be537a8e784d1ab27a4c42f75bc3c1f7ec01136b0b55b3c4a84b7441a

SHA512
51622ca081afcc5f423d7d3f582ffb0740324c78275b55ec3a660550c9ffc26dfa7388d13abc0e19685dd5baa7677d20c2146dc2567b5d48556723d7e1ff9c21

Download Submit
memory/1652-54-0x0000000000000000-mapping.dmp

Download
memory/1652-55-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/2000-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads