wannacry | 71e5a4b325e2848229931f838f54c440fc6ed12c44274b9f8c85d14eea459d1c

General

Target

5bf40e2fc5e5cc0246dabbafcd2739fe.dll
Size

5.0MB
MD5

5bf40e2fc5e5cc0246dabbafcd2739fe
SHA1

9823558083e56b95d658bcde6c2202e9c6742026
SHA256

71e5a4b325e2848229931f838f54c440fc6ed12c44274b9f8c85d14eea459d1c
SHA512

a56ab6815557df8362d1eda5d405645ed40fd1d524d9f5aa7fb3667b0ff9cd12ae727b02baa47e49cee12bdad8d7a0b28bc3cf80617987c711a5078481771f70

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1217) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

1860 mssecsvr.exe
2040 mssecsvr.exe

pid	process
1860	mssecsvr.exe
2040	mssecsvr.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\WpadNetworkName = "Network 3"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-b3-e2-21-6b-68\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-b3-e2-21-6b-68\WpadDecisionTime = 20e8bc0bf59bd801	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\WpadDecisionTime = 20e8bc0bf59bd801	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\06-b3-e2-21-6b-68	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{09198BD8-AAE4-4499-87F6-CDDADBEAFAA8}\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-b3-e2-21-6b-68	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-b3-e2-21-6b-68\WpadDecision = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1880 wrote to memory of 1744	1880	rundll32.exe	rundll32.exe
PID 1880 wrote to memory of 1744	1880	rundll32.exe	rundll32.exe
PID 1880 wrote to memory of 1744	1880	rundll32.exe	rundll32.exe
PID 1880 wrote to memory of 1744	1880	rundll32.exe	rundll32.exe
PID 1880 wrote to memory of 1744	1880	rundll32.exe	rundll32.exe
PID 1880 wrote to memory of 1744	1880	rundll32.exe	rundll32.exe
PID 1880 wrote to memory of 1744	1880	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 1860	1744	rundll32.exe	mssecsvr.exe
PID 1744 wrote to memory of 1860	1744	rundll32.exe	mssecsvr.exe
PID 1744 wrote to memory of 1860	1744	rundll32.exe	mssecsvr.exe
PID 1744 wrote to memory of 1860	1744	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bf40e2fc5e5cc0246dabbafcd2739fe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bf40e2fc5e5cc0246dabbafcd2739fe.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1860

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe

Filesize
3.6MB

MD5
d8ccba7882c4bfe7baba94e01c34b7b0

SHA1
1c94cb73dc4667f79da0098234b1aaaa0f5eef67

SHA256
718d4b4413e021020918dd3b1bf0478f2163f0bcb813327b069787882d06a3d9

SHA512
574f2e70cb2f0bd5fc667039ed176f6a1d26bd97801cd397f85cc3db06d09dac56e12d0ffb4b9244364b7d89f756cffca84103518dc2781fb894c524201e862c

Download Submit
C:\Windows\mssecsvr.exe

Filesize
3.6MB

MD5
d8ccba7882c4bfe7baba94e01c34b7b0

SHA1
1c94cb73dc4667f79da0098234b1aaaa0f5eef67

SHA256
718d4b4413e021020918dd3b1bf0478f2163f0bcb813327b069787882d06a3d9

SHA512
574f2e70cb2f0bd5fc667039ed176f6a1d26bd97801cd397f85cc3db06d09dac56e12d0ffb4b9244364b7d89f756cffca84103518dc2781fb894c524201e862c

Download Submit
C:\Windows\mssecsvr.exe

Filesize
3.6MB

MD5
d8ccba7882c4bfe7baba94e01c34b7b0

SHA1
1c94cb73dc4667f79da0098234b1aaaa0f5eef67

SHA256
718d4b4413e021020918dd3b1bf0478f2163f0bcb813327b069787882d06a3d9

SHA512
574f2e70cb2f0bd5fc667039ed176f6a1d26bd97801cd397f85cc3db06d09dac56e12d0ffb4b9244364b7d89f756cffca84103518dc2781fb894c524201e862c

Download Submit
memory/1744-54-0x0000000000000000-mapping.dmp

Download
memory/1744-55-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1860-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads