wannacry | 95c2ba129dae7ef5a742da353bd914c504dc60c31228e99d85afb2303a7a518a

General

Target

5fcd8cc470d769069f7e7c48498a6d18.dll
Size

5.0MB
MD5

5fcd8cc470d769069f7e7c48498a6d18
SHA1

062fd0720232c0a95808f50b9565d64c31e9fe48
SHA256

95c2ba129dae7ef5a742da353bd914c504dc60c31228e99d85afb2303a7a518a
SHA512

936d85ac815316208a7960f9d00523fd774ec17e48aae40750de3eebcb43c94f60c03e1150820e6033db0f35290f3977aec12792e53eaae600d9ae0330d2507f

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1243) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1972 mssecsvc.exe
1292 mssecsvc.exe
1148 tasksche.exe

pid	process
1972	mssecsvc.exe
1292	mssecsvc.exe
1148	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780329E7-A59F-40F9-8B06-5587950E6EE3}\WpadDecisionTime = 7090ccd2f89bd801	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780329E7-A59F-40F9-8B06-5587950E6EE3}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-bc-40-ce-d2-8e	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780329E7-A59F-40F9-8B06-5587950E6EE3}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780329E7-A59F-40F9-8B06-5587950E6EE3}\4a-bc-40-ce-d2-8e	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-bc-40-ce-d2-8e\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-bc-40-ce-d2-8e\WpadDecisionTime = 7090ccd2f89bd801	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780329E7-A59F-40F9-8B06-5587950E6EE3}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{780329E7-A59F-40F9-8B06-5587950E6EE3}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-bc-40-ce-d2-8e\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1212 wrote to memory of 1496	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1496	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1496	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1496	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1496	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1496	1212	rundll32.exe	rundll32.exe
PID 1212 wrote to memory of 1496	1212	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1972	1496	rundll32.exe	mssecsvc.exe
PID 1496 wrote to memory of 1972	1496	rundll32.exe	mssecsvc.exe
PID 1496 wrote to memory of 1972	1496	rundll32.exe	mssecsvc.exe
PID 1496 wrote to memory of 1972	1496	rundll32.exe	mssecsvc.exe
PID 1972 wrote to memory of 1148	1972	mssecsvc.exe	tasksche.exe
PID 1972 wrote to memory of 1148	1972	mssecsvc.exe	tasksche.exe
PID 1972 wrote to memory of 1148	1972	mssecsvc.exe	tasksche.exe
PID 1972 wrote to memory of 1148	1972	mssecsvc.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5fcd8cc470d769069f7e7c48498a6d18.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5fcd8cc470d769069f7e7c48498a6d18.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1496

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1972

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1148

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
9a7dd9f18b360857ab66f81acf6bf430

SHA1
709f241f65764bbea1819de16a235981657b9e64

SHA256
511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a

SHA512
8b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
9a7dd9f18b360857ab66f81acf6bf430

SHA1
709f241f65764bbea1819de16a235981657b9e64

SHA256
511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a

SHA512
8b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
9a7dd9f18b360857ab66f81acf6bf430

SHA1
709f241f65764bbea1819de16a235981657b9e64

SHA256
511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a

SHA512
8b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f96b8d6fab1906a7f02f3047b8bbedd3

SHA1
64a7b3db933794f3631a1c22b29c7ba13c253e32

SHA256
5aee8b4132d5b4d9130184c1775777379e3b2dcffc7501336d16609814333f85

SHA512
a8b8f3a7bba2f70c7f0a8c4b90c27f88e17a43cd6772961e5ab1c12f1cb55bf8da0649bbe9fe100341a993435e9fa747712d957c4d0156b99f8e304d423ccda2

Download Submit
memory/1148-62-0x0000000000000000-mapping.dmp

Download
memory/1496-54-0x0000000000000000-mapping.dmp

Download
memory/1496-55-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/1972-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads