wannacry | 5cc480c8869b3c6b9e319b6688ba7c7da41c1ca679a2582adccb3d28aded93e4

General

Target

986b29f805c4036a4b17a2050e67aae6.dll
Size

5.0MB
MD5

986b29f805c4036a4b17a2050e67aae6
SHA1

9c9118edacd1103c5244dd8cb103e26ff5f4238c
SHA256

5cc480c8869b3c6b9e319b6688ba7c7da41c1ca679a2582adccb3d28aded93e4
SHA512

450683459e863a881f06d91ad63d4f130a9e43ae9d8c83907a4ccce5239579bba2cc123172c19362736d031b17ed1cea4ba24b7d696cf0f828f05684fdd43e1a

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

892 mssecsvc.exe
2024 mssecsvc.exe
1112 tasksche.exe

pid	process
892	mssecsvc.exe
2024	mssecsvc.exe
1112	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

668 1112 WerFault.exe tasksche.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
668	1112	WerFault.exe	tasksche.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exetasksche.exe

description	pid	process	target process
PID 1676 wrote to memory of 1812	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1812	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1812	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1812	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1812	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1812	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1812	1676	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 892	1812	rundll32.exe	mssecsvc.exe
PID 1812 wrote to memory of 892	1812	rundll32.exe	mssecsvc.exe
PID 1812 wrote to memory of 892	1812	rundll32.exe	mssecsvc.exe
PID 1812 wrote to memory of 892	1812	rundll32.exe	mssecsvc.exe
PID 892 wrote to memory of 1112	892	mssecsvc.exe	tasksche.exe
PID 892 wrote to memory of 1112	892	mssecsvc.exe	tasksche.exe
PID 892 wrote to memory of 1112	892	mssecsvc.exe	tasksche.exe
PID 892 wrote to memory of 1112	892	mssecsvc.exe	tasksche.exe
PID 1112 wrote to memory of 668	1112	tasksche.exe	WerFault.exe
PID 1112 wrote to memory of 668	1112	tasksche.exe	WerFault.exe
PID 1112 wrote to memory of 668	1112	tasksche.exe	WerFault.exe
PID 1112 wrote to memory of 668	1112	tasksche.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\986b29f805c4036a4b17a2050e67aae6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\986b29f805c4036a4b17a2050e67aae6.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1812

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:892

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 36
5⤵
- Program crash
PID:668

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
51cfc6fe985916116cd2bbd6aa836044

SHA1
db443f2110da8a92435c2478a1cd946f91f162bb

SHA256
aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc

SHA512
0d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
51cfc6fe985916116cd2bbd6aa836044

SHA1
db443f2110da8a92435c2478a1cd946f91f162bb

SHA256
aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc

SHA512
0d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
51cfc6fe985916116cd2bbd6aa836044

SHA1
db443f2110da8a92435c2478a1cd946f91f162bb

SHA256
aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc

SHA512
0d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7b351fcb4c6a4ccb3d3061936aa553a6

SHA1
365a3e54d81b8c19fe781656a4ce7243749ad970

SHA256
efa788e33b9f58a86b015da2b0b1651f80e02923e9e9ffc1602aeed4218a5dac

SHA512
3d8fa3a451f0a63bb0ce444f5f3ac9420e65e57fd8d50c9477b22ebc58402c747b27c74aef540b4bb0327487d48eef58a77b2ec37d5c52c2224102e4b62c30f8

Download Submit
memory/668-64-0x0000000000000000-mapping.dmp

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/1112-62-0x0000000000000000-mapping.dmp

Download
memory/1812-54-0x0000000000000000-mapping.dmp

Download
memory/1812-55-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing