wannacry | 5d8f0c54fd3945b1c2da7295db07fb85bee9761fc82bed542b9c98746bd6bc42

General

Target

0627f0f29229e474c78206de082d53d8.dll
Size

5.0MB
MD5

0627f0f29229e474c78206de082d53d8
SHA1

e3fd6cb3f29ee07b9be7bad39824d02b186b8c2b
SHA256

5d8f0c54fd3945b1c2da7295db07fb85bee9761fc82bed542b9c98746bd6bc42
SHA512

499ee633849972f994355c57ef956143ac049e8d033f1d6a7d467043b7065a4a6fb185a9ad502f176b70675a5bb0810ba8c9e06e940ceb1e5f9b859a68bf438a

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1266) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2032 mssecsvc.exe
888 mssecsvc.exe
1136 tasksche.exe

pid	process
2032	mssecsvc.exe
888	mssecsvc.exe
1136	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\52-2b-8b-7a-05-32	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2b-8b-7a-05-32\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2b-8b-7a-05-32\WpadDecisionTime = c06600caed9bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2b-8b-7a-05-32\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7EA136F-F734-46D9-BD0F-6D72411B1F64}\WpadDecisionTime = c06600caed9bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-2b-8b-7a-05-32	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 968	1044	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 2032	968	rundll32.exe	mssecsvc.exe
PID 968 wrote to memory of 2032	968	rundll32.exe	mssecsvc.exe
PID 968 wrote to memory of 2032	968	rundll32.exe	mssecsvc.exe
PID 968 wrote to memory of 2032	968	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0627f0f29229e474c78206de082d53d8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0627f0f29229e474c78206de082d53d8.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:968

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1136

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
090abe3450019f5893e16535f5d67b0e

SHA1
5487f5b9b1b4f18e1cb7708e1e17acccecaf7755

SHA256
ec3ac4e0682433d49b5570a68db1bae0a71bb406e39ac175bc86d0e059bcd667

SHA512
7de6bcd9d6cb3bf25332a144c2eef2e38989f7f089073bcae67939e7f18e3d6382d8b831cdec9408329d324a0b8023786d5150e21eb783df467fbf6f6cb39fc4

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
090abe3450019f5893e16535f5d67b0e

SHA1
5487f5b9b1b4f18e1cb7708e1e17acccecaf7755

SHA256
ec3ac4e0682433d49b5570a68db1bae0a71bb406e39ac175bc86d0e059bcd667

SHA512
7de6bcd9d6cb3bf25332a144c2eef2e38989f7f089073bcae67939e7f18e3d6382d8b831cdec9408329d324a0b8023786d5150e21eb783df467fbf6f6cb39fc4

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
090abe3450019f5893e16535f5d67b0e

SHA1
5487f5b9b1b4f18e1cb7708e1e17acccecaf7755

SHA256
ec3ac4e0682433d49b5570a68db1bae0a71bb406e39ac175bc86d0e059bcd667

SHA512
7de6bcd9d6cb3bf25332a144c2eef2e38989f7f089073bcae67939e7f18e3d6382d8b831cdec9408329d324a0b8023786d5150e21eb783df467fbf6f6cb39fc4

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fa0479764a7a2566f7c4da2cfafa794b

SHA1
ae6c04b795a59e1e0b636a6fc88efd2e6597a46a

SHA256
280ed3db4302c33d79ab60d6db3ac2e3a76fede38d0c164aaa50ff9fd6f1b0ce

SHA512
d878df1b6b6e57e4b7dc18f6049c45888b607469fd4843af9939f09c2ec73b39c12101451404342f2401cdadeb84351011d624ba4928ec429518ed42d1138d3a

Download Submit
memory/968-54-0x0000000000000000-mapping.dmp

Download
memory/968-55-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads