wannacry | 04dc3ef5506d881a29eab6815f250edd48ca853919a797e4a68bd92c65a3eb53

General

Target

e401c39e252447006bc3bd77077d654c.dll
Size

5.0MB
MD5

e401c39e252447006bc3bd77077d654c
SHA1

6b726234d696b4a99c8ba76173d5b58cdf045751
SHA256

04dc3ef5506d881a29eab6815f250edd48ca853919a797e4a68bd92c65a3eb53
SHA512

06ed4316249660332fd3bd64868495cb3a30cc2e3bfc714d09ae66758d090804bef6d6a22a21952f1e64d36395329f5ba2af71df4af7b828e10b958ca5f227d3

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

548 mssecsvc.exe
1412 mssecsvc.exe
1692 tasksche.exe

pid	process
548	mssecsvc.exe
1412	mssecsvc.exe
1692	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecisionTime = 205757ade59bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\6a-75-1b-2d-33-8d	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecisionTime = 205757ade59bd801	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 2000 wrote to memory of 548	2000	rundll32.exe	mssecsvc.exe
PID 2000 wrote to memory of 548	2000	rundll32.exe	mssecsvc.exe
PID 2000 wrote to memory of 548	2000	rundll32.exe	mssecsvc.exe
PID 2000 wrote to memory of 548	2000	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e401c39e252447006bc3bd77077d654c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e401c39e252447006bc3bd77077d654c.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:548

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1692

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
c86415e4ea6e449aaf1a5dfe5dea7b5d

SHA1
80b95c64a215a2e06826370ef4c6559c259dc890

SHA256
609332577bbb5f36d04a1e9ef0fc7077fb2ba2e4fd264938000574bea81e5d56

SHA512
52783cdd2ac3ae454dc1612ccc07ca7c8c3e5173b3365eddbb97897d4602064bd98d190a97d4e523fc89d49938bd9cf72975ad04681b1c0a13e8277dcddf63bf

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
c86415e4ea6e449aaf1a5dfe5dea7b5d

SHA1
80b95c64a215a2e06826370ef4c6559c259dc890

SHA256
609332577bbb5f36d04a1e9ef0fc7077fb2ba2e4fd264938000574bea81e5d56

SHA512
52783cdd2ac3ae454dc1612ccc07ca7c8c3e5173b3365eddbb97897d4602064bd98d190a97d4e523fc89d49938bd9cf72975ad04681b1c0a13e8277dcddf63bf

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
c86415e4ea6e449aaf1a5dfe5dea7b5d

SHA1
80b95c64a215a2e06826370ef4c6559c259dc890

SHA256
609332577bbb5f36d04a1e9ef0fc7077fb2ba2e4fd264938000574bea81e5d56

SHA512
52783cdd2ac3ae454dc1612ccc07ca7c8c3e5173b3365eddbb97897d4602064bd98d190a97d4e523fc89d49938bd9cf72975ad04681b1c0a13e8277dcddf63bf

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
3fa063f7ace4dca62436f4b1c58b802d

SHA1
4cdd1db5510d6a63ffbbffdbd240a6c7c32a97bc

SHA256
02a3bb83f9fc6b1e65f16fbc60df9ac77e0fe6df9109ccbdb74a0d8af82b32c2

SHA512
9ae9d986b7dd63bd1a433ad9badb4342a4acdec1840f291ca82bd9a39c3ddc13ea93b2b078da77eb062f6e9664c931d30c1499163172eef7abe8cd4c1e2ba9b2

Download Submit
memory/548-56-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000000000000-mapping.dmp

Download
memory/2000-55-0x0000000074E11000-0x0000000074E13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads