wannacry | cf5ddb5dedea0104a3fc464c822e6181a9dd9fa6e27e713c54af0eafb7c5faf0

General

Target

a55b9addb2447db1882a3ae995a70151.dll
Size

5.0MB
MD5

a55b9addb2447db1882a3ae995a70151
SHA1

f8d5a24a90ae78bece5f280852e0f393757fc685
SHA256

cf5ddb5dedea0104a3fc464c822e6181a9dd9fa6e27e713c54af0eafb7c5faf0
SHA512

a2a1ca078e5dc4a5060547948d87a41c22186eba6b671f840bd6ddfefad257162fa896f56865092cf85cc5aded76324fd4a27c11c5ef1e36910f5dcc1cd6f4d8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1229) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1544 mssecsvc.exe
1724 mssecsvc.exe
1136 tasksche.exe

pid	process
1544	mssecsvc.exe
1724	mssecsvc.exe
1136	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00be000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C112EFA5-63F1-43EE-A79A-2022C3D11AD5}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C112EFA5-63F1-43EE-A79A-2022C3D11AD5}\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-84-54-89-97-15\WpadDecisionTime = 8016c2eded9bd801	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-84-54-89-97-15	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C112EFA5-63F1-43EE-A79A-2022C3D11AD5}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C112EFA5-63F1-43EE-A79A-2022C3D11AD5}\96-84-54-89-97-15	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-84-54-89-97-15\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-84-54-89-97-15\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C112EFA5-63F1-43EE-A79A-2022C3D11AD5}\WpadDecisionTime = 8016c2eded9bd801	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C112EFA5-63F1-43EE-A79A-2022C3D11AD5}\WpadNetworkName = "Network 3"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 972 wrote to memory of 1120	972	rundll32.exe	rundll32.exe
PID 1120 wrote to memory of 1544	1120	rundll32.exe	mssecsvc.exe
PID 1120 wrote to memory of 1544	1120	rundll32.exe	mssecsvc.exe
PID 1120 wrote to memory of 1544	1120	rundll32.exe	mssecsvc.exe
PID 1120 wrote to memory of 1544	1120	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a55b9addb2447db1882a3ae995a70151.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a55b9addb2447db1882a3ae995a70151.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1120

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1136

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
478abb44dbba06e87decd2df49f3d986

SHA1
0d1bdc648b6fe87652fd4f299ebb1eac821dfef3

SHA256
a90873267deb6777193d65a390752e86b6a1bbf3523cfb28c266139e24ed69f8

SHA512
7a3a0ad0207aebd5971c9ef36dff7ca0183126643040ecf60ea67b208c99ad622d5bff6ac972bebe6ed7d16d069c801f264a422bd25110efb7d3ed5550715a0f

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
478abb44dbba06e87decd2df49f3d986

SHA1
0d1bdc648b6fe87652fd4f299ebb1eac821dfef3

SHA256
a90873267deb6777193d65a390752e86b6a1bbf3523cfb28c266139e24ed69f8

SHA512
7a3a0ad0207aebd5971c9ef36dff7ca0183126643040ecf60ea67b208c99ad622d5bff6ac972bebe6ed7d16d069c801f264a422bd25110efb7d3ed5550715a0f

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
478abb44dbba06e87decd2df49f3d986

SHA1
0d1bdc648b6fe87652fd4f299ebb1eac821dfef3

SHA256
a90873267deb6777193d65a390752e86b6a1bbf3523cfb28c266139e24ed69f8

SHA512
7a3a0ad0207aebd5971c9ef36dff7ca0183126643040ecf60ea67b208c99ad622d5bff6ac972bebe6ed7d16d069c801f264a422bd25110efb7d3ed5550715a0f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
3233aced9279ef54267c479bba665b90

SHA1
0b2cc142386641901511269503cdf6f641fad305

SHA256
f60f8a6bcaf1384a0d6a76d3e88007a8604560b263d2b8aeee06fd74c9ee5b3b

SHA512
55f25c51ffb89d46f2a7d2ed9b67701e178bd68e74b71d757d5fa14bd9530a427104fc36116633033ead762ecf7960ab96429f5b0a085a701001c6832ba4555e

Download Submit
memory/1120-54-0x0000000000000000-mapping.dmp

Download
memory/1120-55-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1544-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads