wannacry | 4056238a615260bca116bd686070addc75a16a4c30ee20e805ffdec5c6df0cbb

General

Target

220720-cdvfqsacd9.dll
Size

5.0MB
MD5

54abc6dbc947845d38762f53af7f2b16
SHA1

7376d7444a05dc21177496f10d0194eaedd66771
SHA256

4056238a615260bca116bd686070addc75a16a4c30ee20e805ffdec5c6df0cbb
SHA512

d4237b9685c151998308b306974e2e10cc36be530e5f63fa6ef0b4a08181d7cf501813a4e743436f0123c4100416580d2797e46bca1cdf0ea5ae4dfbd2c169b7
SSDEEP

49152:RnqqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1qqPoBhz1aRxcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

1032 mssecsvr.exe
2484 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1032	mssecsvr.exe
2484	mssecsvr.exe

Drops file in System32 directory 4 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3584 wrote to memory of 624	3584	rundll32.exe	rundll32.exe
PID 3584 wrote to memory of 624	3584	rundll32.exe	rundll32.exe
PID 3584 wrote to memory of 624	3584	rundll32.exe	rundll32.exe
PID 624 wrote to memory of 1032	624	rundll32.exe	mssecsvr.exe
PID 624 wrote to memory of 1032	624	rundll32.exe	mssecsvr.exe
PID 624 wrote to memory of 1032	624	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\220720-cdvfqsacd9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\220720-cdvfqsacd9.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:624

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1032

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
1024KB

MD5
ba0ef8d46f752db201a5b32bf93507f0

SHA1
ea32181726b1138f932217f0d20f771711dd47bb

SHA256
abd2635551f06a4f504ebc39d0a67c2fe23ad74be2e7dd141184ba75b1b9c2d0

SHA512
ecd0a2846ff9fd55476a2a26c80c52ebe5d304ae870d2960ad8ae7c65f290af1916ee63fcacfb7fd27d215a28b37b804d164d4817c78ced71992e804a438950c

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
ba72f8befa00aa3e36ca5822f4b0955d

SHA1
f627e725fc59284212d32bad8b9e1f5890be76ed

SHA256
f627890d60ebafc66e98a8d7c348a7a89a78301c1934d507a1f167be242de78b

SHA512
0fc598c9ea0992d5751992d9ea5058799c6b6a5ea49d9a4084ae1f50568be7c3419c5f07c38b85b156143b77d472a048526c43fa103bd6d04195eb6a01b87661

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads