wannacry | 6da6e0b44a80512d686d3fef1d67ae930f29169bc369e0f06e01a2de2b46e953

General

Target

9faf2402c6822dd5b60f007cfe85abba.dll
Size

5.0MB
MD5

9faf2402c6822dd5b60f007cfe85abba
SHA1

301e8ef9b2b3c8220624e1c91e4b7cc73c2432cb
SHA256

6da6e0b44a80512d686d3fef1d67ae930f29169bc369e0f06e01a2de2b46e953
SHA512

718f8a17e1275312c063351b8bb83e9612d9a0026840b53495460b712809eb4de59926a9cd9cc1a438b2b431479b75cd8d8f15df314abdd37e93fa12bd71cd35

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1222) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

1996 mssecsvr.exe
2016 mssecsvr.exe
1452 tasksche.exe

pid	process
1996	mssecsvr.exe
2016	mssecsvr.exe
1452	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\WpadDecisionTime = e03246f6f89bd801	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\26-0f-b8-e8-60-c3	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-0f-b8-e8-60-c3\WpadDecisionTime = e03246f6f89bd801	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-0f-b8-e8-60-c3	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-0f-b8-e8-60-c3\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\WpadNetworkName = "Network 3"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-0f-b8-e8-60-c3\WpadDecision = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1952 wrote to memory of 588	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 588	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 588	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 588	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 588	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 588	1952	rundll32.exe	rundll32.exe
PID 1952 wrote to memory of 588	1952	rundll32.exe	rundll32.exe
PID 588 wrote to memory of 1996	588	rundll32.exe	mssecsvr.exe
PID 588 wrote to memory of 1996	588	rundll32.exe	mssecsvr.exe
PID 588 wrote to memory of 1996	588	rundll32.exe	mssecsvr.exe
PID 588 wrote to memory of 1996	588	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9faf2402c6822dd5b60f007cfe85abba.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9faf2402c6822dd5b60f007cfe85abba.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:588

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1996

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1452

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe

Filesize
2.2MB

MD5
d9b3554d96952f1b16252c1811b3b21a

SHA1
23532544f6a27b155ca180be612324de89847b98

SHA256
f489c64c817e66f15478f2eb3f8b444fe402ef6251380da7ba6ff363a1c75f2e

SHA512
4e6d6f15f8a5674a8d28427b148bb0cd225d237c634c6596834a19ec63d68197cb4406cd1fc0303f7ee0c62feeb2a139c8f2ecf5422dffb0905de6dc96ac32e2

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
d9b3554d96952f1b16252c1811b3b21a

SHA1
23532544f6a27b155ca180be612324de89847b98

SHA256
f489c64c817e66f15478f2eb3f8b444fe402ef6251380da7ba6ff363a1c75f2e

SHA512
4e6d6f15f8a5674a8d28427b148bb0cd225d237c634c6596834a19ec63d68197cb4406cd1fc0303f7ee0c62feeb2a139c8f2ecf5422dffb0905de6dc96ac32e2

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
d9b3554d96952f1b16252c1811b3b21a

SHA1
23532544f6a27b155ca180be612324de89847b98

SHA256
f489c64c817e66f15478f2eb3f8b444fe402ef6251380da7ba6ff363a1c75f2e

SHA512
4e6d6f15f8a5674a8d28427b148bb0cd225d237c634c6596834a19ec63d68197cb4406cd1fc0303f7ee0c62feeb2a139c8f2ecf5422dffb0905de6dc96ac32e2

Download Submit
C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
9b19ad1982ad5c0189ac79dfdf8ae986

SHA1
7ef669cdc7389e79e9206a0239978c588b7e6931

SHA256
c34d78817409c59cf2bc802532bc6b2abe884c2b3e67ff17830b1ae518b844f2

SHA512
f7c5821f0792923b75a775677ef1c41523b3411b7e4803c8cfbc6d7f67468f1f1d1c4670ce4b46731621f099c7ffdace32709c7985454d01405d9d58e8b15995

Download Submit
memory/588-54-0x0000000000000000-mapping.dmp

Download
memory/588-55-0x0000000075E21000-0x0000000075E23000-memory.dmp

Filesize
8KB

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads