wannacry | 95c2ba129dae7ef5a742da353bd914c504dc60c31228e99d85afb2303a7a518a

General

Target

5fcd8cc470d769069f7e7c48498a6d18.dll
Size

5.0MB
MD5

5fcd8cc470d769069f7e7c48498a6d18
SHA1

062fd0720232c0a95808f50b9565d64c31e9fe48
SHA256

95c2ba129dae7ef5a742da353bd914c504dc60c31228e99d85afb2303a7a518a
SHA512

936d85ac815316208a7960f9d00523fd774ec17e48aae40750de3eebcb43c94f60c03e1150820e6033db0f35290f3977aec12792e53eaae600d9ae0330d2507f

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3124) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4128 mssecsvc.exe
4704 mssecsvc.exe
2696 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4828 2696 WerFault.exe tasksche.exe

pid	process
4128	mssecsvc.exe
4704	mssecsvc.exe
2696	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
4828	2696	WerFault.exe	tasksche.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1184 wrote to memory of 4376	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 4376	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 4376	1184	rundll32.exe	rundll32.exe
PID 4376 wrote to memory of 4128	4376	rundll32.exe	mssecsvc.exe
PID 4376 wrote to memory of 4128	4376	rundll32.exe	mssecsvc.exe
PID 4376 wrote to memory of 4128	4376	rundll32.exe	mssecsvc.exe
PID 4128 wrote to memory of 2696	4128	mssecsvc.exe	tasksche.exe
PID 4128 wrote to memory of 2696	4128	mssecsvc.exe	tasksche.exe
PID 4128 wrote to memory of 2696	4128	mssecsvc.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5fcd8cc470d769069f7e7c48498a6d18.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5fcd8cc470d769069f7e7c48498a6d18.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4376

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4128

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 224
5⤵
- Program crash
PID:4828

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2696 -ip 2696
1⤵
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
9a7dd9f18b360857ab66f81acf6bf430

SHA1
709f241f65764bbea1819de16a235981657b9e64

SHA256
511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a

SHA512
8b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb

Download Submit
C:\WINDOWS\tasksche.exe
Filesize
3.4MB

MD5
f96b8d6fab1906a7f02f3047b8bbedd3

SHA1
64a7b3db933794f3631a1c22b29c7ba13c253e32

SHA256
5aee8b4132d5b4d9130184c1775777379e3b2dcffc7501336d16609814333f85

SHA512
a8b8f3a7bba2f70c7f0a8c4b90c27f88e17a43cd6772961e5ab1c12f1cb55bf8da0649bbe9fe100341a993435e9fa747712d957c4d0156b99f8e304d423ccda2

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
9a7dd9f18b360857ab66f81acf6bf430

SHA1
709f241f65764bbea1819de16a235981657b9e64

SHA256
511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a

SHA512
8b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
9a7dd9f18b360857ab66f81acf6bf430

SHA1
709f241f65764bbea1819de16a235981657b9e64

SHA256
511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a

SHA512
8b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f96b8d6fab1906a7f02f3047b8bbedd3

SHA1
64a7b3db933794f3631a1c22b29c7ba13c253e32

SHA256
5aee8b4132d5b4d9130184c1775777379e3b2dcffc7501336d16609814333f85

SHA512
a8b8f3a7bba2f70c7f0a8c4b90c27f88e17a43cd6772961e5ab1c12f1cb55bf8da0649bbe9fe100341a993435e9fa747712d957c4d0156b99f8e304d423ccda2

Download Submit
memory/2696-135-0x0000000000000000-mapping.dmp

Download
memory/4128-131-0x0000000000000000-mapping.dmp

Download
memory/4376-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing