wannacry | 92bc02116a72b13d359ba88e0984ea09d2eb230fbf711d92a0c961e08274a09e

General

Target

ce223b231f2862124386c585e9b95ca1.dll
Size

5.0MB
MD5

ce223b231f2862124386c585e9b95ca1
SHA1

61673e2be7e3479a818eb98339692bc7e4a5b79c
SHA256

92bc02116a72b13d359ba88e0984ea09d2eb230fbf711d92a0c961e08274a09e
SHA512

dede42923cae7167fcff56ae1131e6cb5a9c8ef14d76d1be84211504685d628fa1abf658a7ec89d0bca976c35ef6eb58f93e4f59ffcc4c27468e3e44c0ac4faa
SSDEEP

12288:TQbLgmluyQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXF5:MbLguVQhfdmMSirYbcMNgef0QeQjG

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (11897) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exemssecsvr.exe

pid process

4564 mssecsvr.exe
4380 mssecsvr.exe
3216 mssecsvr.exe

pid	process
4564	mssecsvr.exe
4380	mssecsvr.exe
3216	mssecsvr.exe

Drops file in System32 directory 2 IoCs

Processes:

mmc.exemmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Drops file in Windows directory 3 IoCs

Processes:

rundll32.exemssecsvr.exemssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

mmc.exemmc.exe

pid process

1456 mmc.exe
3512 mmc.exe

pid	process
1456	mmc.exe
3512	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mmc.exe

description	pid	process
Token: SeSecurityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: SeSecurityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe
Token: 33	1456	mmc.exe
Token: SeIncBasePriorityPrivilege	1456	mmc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mmc.exemmc.exe

pid process

1456 mmc.exe
1456 mmc.exe
3512 mmc.exe
3512 mmc.exe

pid	process
1456	mmc.exe
1456	mmc.exe
3512	mmc.exe
3512	mmc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4776 wrote to memory of 5020	4776	rundll32.exe	rundll32.exe
PID 4776 wrote to memory of 5020	4776	rundll32.exe	rundll32.exe
PID 4776 wrote to memory of 5020	4776	rundll32.exe	rundll32.exe
PID 5020 wrote to memory of 4564	5020	rundll32.exe	mssecsvr.exe
PID 5020 wrote to memory of 4564	5020	rundll32.exe	mssecsvr.exe
PID 5020 wrote to memory of 4564	5020	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce223b231f2862124386c585e9b95ca1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce223b231f2862124386c585e9b95ca1.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5020

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4564

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4380

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
1⤵
PID:2580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:692

C:\Windows\mssecsvr.exe
"C:\Windows\mssecsvr.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3216

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Event Viewer\Windows Logs\Channel_0.xml

Filesize
2KB

MD5
8d8c0f9c3af155ceb1feaaffb5ba155f

SHA1
f9492a829ae4e1ae8b03b9ccfee2b36b8ea09817

SHA256
292ba75d958841b7bafc6ff7b6794a4bdb88b324216b3b33f2bb14447356de98

SHA512
5da396421f2487085d02e09f81e4ee1ae84d967d8dd4bd5c911ef5ba13496eb92544d846af7b184948ea50a17a11bf0527554c3838870032b3f1ff8f88a7872b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.log

Filesize
1KB

MD5
d0970581271d0c28a1a7bece525d2f5a

SHA1
32267450b2555e3ce1b48f756bf84f250cfb0b36

SHA256
9289ae1cabb7b69426bc7f7044a1e6d169ee09e1092513e4f98d9c0db54fe0c1

SHA512
0238b34ecba9ba5d10a1eceadb553b827d5987543cd86ae5c38c6bce9a5622a3188315ae59e7fa98000af0ac266e1afd4a8054e6504f22b4fb4a1af12000c2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\RecentViews

Filesize
1KB

MD5
b3b4a29d6f98549de8ba4730c206cb13

SHA1
b2263d9873648637273f45f0e56ca628f4035062

SHA256
77167f6d47770ba10e286fe674480904fe1a60371f7d7a92629c54c4812c984d

SHA512
b58751a002e3b611f93c6b932f16932133e4b9e6a6670fbed1fecf35b4d0c4894e43a63b5a116be578e8e0f8ab40f4193441e1ddba9fb1930b6478ead2fd56ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Event Viewer\Settings.Xml

Filesize
109B

MD5
f31bd6fab0021178ea66e8cd8f0c051f

SHA1
efb7a75e1ef7cc5649df5c25f528b47dad908b3b

SHA256
4a6cd1e0bd61796623b25f14d9c58b188a9fa5e649964cd1a6dd50b5d4ddca77

SHA512
39ed61f2451a0c97930b5a23d191587803d6fab132bb020bf19069f6f2172010f2099c0c56abffcc9aa9163c8fd9ad9e255e213a7bbd3548158458b051c9b131

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\eventvwr

Filesize
136KB

MD5
2234ca458e2999aea55785cd0a770868

SHA1
6afcee4a18a027590a7c96c1ef05e0b089bf7bb7

SHA256
9626b1fb2cbe2c634cc7bd3ca1ecf244a0960f1823aabe9b0ba83038978ba146

SHA512
246f3dc923cbe1f831afcd2c4a84e19d60a706adffe699fe4ea8aa2683e6464cbcbc7d5b6c29c977ed1c32b9c241d4d9ab397d2c469a3656a07dd7c1977b3ca8

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
60a91a498c0f1ffddef484c5a4d42564

SHA1
a15dcd408c0aee1f5f38b50528583bdee6536227

SHA256
03dc66c9970481c5958d247f9eba93a6a7ad9f9bbf94845b9fbea8ed1e1e0757

SHA512
e7b7a308227fc3c72d8d1bd262389257e1f2fa419f6ceff58f73a06f850245f6e1068ea74cf42388ee2ca2712d7b5d9a2ce0e6f7264c3885b82c1caa70891e55

Download Submit
memory/1456-13-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-6-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-12-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-10-0x00007FFEA7E10000-0x00007FFEA88D1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-14-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-15-0x00007FF49C060000-0x00007FF49C070000-memory.dmp

Filesize
64KB

Download
memory/1456-16-0x0000000020370000-0x0000000020898000-memory.dmp

Filesize
5.2MB

Download
memory/1456-17-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-18-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-19-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-20-0x000000001FE40000-0x000000001FF40000-memory.dmp

Filesize
1024KB

Download
memory/1456-29-0x00007FFEA7E10000-0x00007FFEA88D1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-8-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-9-0x00007FF49C060000-0x00007FF49C070000-memory.dmp

Filesize
64KB

Download
memory/1456-5-0x00007FFEA7E10000-0x00007FFEA88D1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-11-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/1456-7-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

Filesize
64KB

Download
memory/3512-42-0x00007FFEA7CC0000-0x00007FFEA8781000-memory.dmp

Filesize
10.8MB

Download
memory/3512-33-0x00007FFEA7CC0000-0x00007FFEA8781000-memory.dmp

Filesize
10.8MB

Download
memory/3512-38-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-39-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-40-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-34-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-37-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-43-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-35-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-45-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-46-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-47-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-48-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-49-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/3512-50-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads