wannacry | 538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786

General

Target

538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll
Size

5.0MB
MD5

7c0ada776091154a2cb1015bcac66d65
SHA1

14b85e1558e891542fcc3fd71e2ab2068537112b
SHA256

538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786
SHA512

1ced5f1536b4fd61b49dfb16e3eca0777f8b1c7387a4ecc1de889027ae219c507f1d6a4ad921496352a6a09f1c616338fbcd7636a203e6c6489b019400d1965b
SSDEEP

98304:8DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:8DqPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery persistence ransomware upx worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3166) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

UPX dump on OEP (original entry point) 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/552-7-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
C:\Program Files\Common Files\System\symsrv.dll	UPX
behavioral2/memory/3392-15-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/552-23-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/3392-33-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/3392-43-0x0000000010000000-0x0000000010030000-memory.dmp	UPX
behavioral2/memory/3392-49-0x0000000010000000-0x0000000010030000-memory.dmp	UPX

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

552 mssecsvc.exe
3392 mssecsvc.exe
4316 tasksche.exe
Loads dropped DLL 4 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

552 mssecsvc.exe
3392 mssecsvc.exe
3392 mssecsvc.exe
3392 mssecsvc.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/552-7-0x0000000010000000-0x0000000010030000-memory.dmp	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
behavioral2/memory/3392-15-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/552-23-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3392-33-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3392-43-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/3392-49-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

mssecsvc.exe

description ioc process

File opened (read-only) \??\e: mssecsvc.exe

description	ioc	process
File opened (read-only)	\??\e:	mssecsvc.exe

Drops file in System32 directory 4 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe

Drops file in Program Files directory 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	mssecsvc.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
552	mssecsvc.exe
552	mssecsvc.exe
3392	mssecsvc.exe
3392	mssecsvc.exe
3392	mssecsvc.exe
3392	mssecsvc.exe
3392	mssecsvc.exe
3392	mssecsvc.exe
3392	mssecsvc.exe
3392	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 552 mssecsvc.exe
Token: SeDebugPrivilege 3392 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	552	mssecsvc.exe
Token: SeDebugPrivilege	3392	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4140 wrote to memory of 4720	4140	rundll32.exe	rundll32.exe
PID 4140 wrote to memory of 4720	4140	rundll32.exe	rundll32.exe
PID 4140 wrote to memory of 4720	4140	rundll32.exe	rundll32.exe
PID 4720 wrote to memory of 552	4720	rundll32.exe	mssecsvc.exe
PID 4720 wrote to memory of 552	4720	rundll32.exe	mssecsvc.exe
PID 4720 wrote to memory of 552	4720	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4720

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4316

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Discovery

2

T1046

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll
Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000
Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
bc0ac3a1d5eed55f308a08ea8d52d603

SHA1
e25e171c5009ed601d24b3bd57316e60c7418960

SHA256
355008c92c4ebb44326349f57d3d7c4f18a1a0921c998faa74c084bc78df227c

SHA512
6f48ace39e8158643c3080caeb0956ed7b229286fb52b0991fe7ed09850e354f5ff87ed0f1f4f9aa53cb7acdc5b76949a167c668decff653f77f1646984feb88

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/552-7-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/552-23-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3392-35-0x0000000000AF0000-0x0000000000B20000-memory.dmp

Filesize
192KB

Download
memory/3392-40-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-25-0x0000000076875000-0x0000000076876000-memory.dmp

Filesize
4KB

Download
memory/3392-26-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-30-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-29-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-33-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3392-34-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-16-0x0000000000AF0000-0x0000000000B20000-memory.dmp

Filesize
192KB

Download
memory/3392-36-0x0000000000AF0000-0x0000000000B20000-memory.dmp

Filesize
192KB

Download
memory/3392-39-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-15-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3392-17-0x0000000000AF0000-0x0000000000B20000-memory.dmp

Filesize
192KB

Download
memory/3392-43-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3392-44-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-45-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-48-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-49-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3392-50-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-51-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-53-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-54-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download
memory/3392-55-0x0000000076860000-0x00000000768C3000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads