wannacry | 884c4cc639c28e454c009c5c059a8c1f171f394493de29d232e681be97bc1ec3

General

Target

dd2b97420b305f73208026657ed0da4a.dll
Size

5.0MB
MD5

dd2b97420b305f73208026657ed0da4a
SHA1

e071791a193701f4b0c42dadb257955348efc109
SHA256

884c4cc639c28e454c009c5c059a8c1f171f394493de29d232e681be97bc1ec3
SHA512

66a990ba8870f48d89950b9ea21f0b6726652277240e759a2af77be431b52f9ea9da69aca5e9fa007af6df3c4a6cc772ad24ab54b9ca9d60e3210b1dd829c1eb

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1528) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1560 mssecsvc.exe
1348 mssecsvc.exe
1732 tasksche.exe

pid	process
1560	mssecsvc.exe
1348	mssecsvc.exe
1732	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecisionTime = 208dae1ae69bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecisionTime = 208dae1ae69bd801	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\ae-1d-a5-c5-14-08	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 2024	1876	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 1560	2024	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b97420b305f73208026657ed0da4a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd2b97420b305f73208026657ed0da4a.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1560

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1732

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
17a8dcf34c64f537223408f48c4cbfd4

SHA1
6ab857f729e41926fbf9d4373b659a06e8b6f75d

SHA256
4ffd66127789176ba9a4062f2b2229cd733de5b3ae9548a0beb1a611a1547830

SHA512
c14c5144afa96dab81a8eaabd32fbcd63ad259762f94843bc1a4db026e3227e217ec1bd3d904f22cb3bc7f2be661010a58a0cafa3747d40c899de148d6089e6b

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
17a8dcf34c64f537223408f48c4cbfd4

SHA1
6ab857f729e41926fbf9d4373b659a06e8b6f75d

SHA256
4ffd66127789176ba9a4062f2b2229cd733de5b3ae9548a0beb1a611a1547830

SHA512
c14c5144afa96dab81a8eaabd32fbcd63ad259762f94843bc1a4db026e3227e217ec1bd3d904f22cb3bc7f2be661010a58a0cafa3747d40c899de148d6089e6b

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
17a8dcf34c64f537223408f48c4cbfd4

SHA1
6ab857f729e41926fbf9d4373b659a06e8b6f75d

SHA256
4ffd66127789176ba9a4062f2b2229cd733de5b3ae9548a0beb1a611a1547830

SHA512
c14c5144afa96dab81a8eaabd32fbcd63ad259762f94843bc1a4db026e3227e217ec1bd3d904f22cb3bc7f2be661010a58a0cafa3747d40c899de148d6089e6b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
1fd3d102d83758e8317df2380821e807

SHA1
3709a9b48aee0d6039b4b3581be33f48d4919b79

SHA256
01b628fa60560c0cb4a332818cb380a65d0616d19976c084e0c3eaa433288b88

SHA512
db0ee5b13e524f2182845aa94b8b1121749e87e48e75e5ba8fa26cae024216913d3a5904fb3544dfeefa49ecf76af5cf1324c410e6366a7197594e8e9e26025f

Download Submit
memory/1560-56-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000000000000-mapping.dmp

Download
memory/2024-55-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads