wannacry | 39c0d2054ef98167adca72deaa0ece1e0cb376180b651bb4c4808c938860c01a

General

Target

39c0d2054ef98167adca72deaa0ece1e0cb376180b651bb4c4808c938860c01aN.dll
Size

5.0MB
MD5

7deb1279dbfb8cae4c00c90b6aa09af0
SHA1

be2510ca7543a8d96cd0ce953d49e26f8e7af9d5
SHA256

39c0d2054ef98167adca72deaa0ece1e0cb376180b651bb4c4808c938860c01a
SHA512

c4a0df851092b7a59e8cd02644e44c561162df6b618bc28899e84d737b53d10bcb6d06feb80d63587d4d03b264b2aabd8bde667c9d4d7952432a24d19011e119
SSDEEP

49152:RnqEKUacBVQej/1INRb+TSqTdX1HkQo6SAARdhnv:1qyfBhz1aRbcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (2383) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2368	mssecsvr.exe
2284	mssecsvr.exe
2744	tasksche.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\GAESHFFR.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\GAESHFFR.txt	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\I8V4HO33.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\I8V4HO33.txt	mssecsvr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2904	2744	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\WpadNetworkName = "Network 3"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\WpadDecision = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-e3-b1-bc-a8-e0\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\ea-e3-b1-bc-a8-e0	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-e3-b1-bc-a8-e0\WpadDecision = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D5B2E2E-025E-4641-932A-3A05614DE0B5}\WpadDecisionTime = d08f3169e551db01	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-e3-b1-bc-a8-e0	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-e3-b1-bc-a8-e0\WpadDecisionTime = d08f3169e551db01	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2896	2376	rundll32.exe	31
PID 2376 wrote to memory of 2896	2376	rundll32.exe	31
PID 2376 wrote to memory of 2896	2376	rundll32.exe	31
PID 2376 wrote to memory of 2896	2376	rundll32.exe	31
PID 2376 wrote to memory of 2896	2376	rundll32.exe	31
PID 2376 wrote to memory of 2896	2376	rundll32.exe	31
PID 2376 wrote to memory of 2896	2376	rundll32.exe	31
PID 2896 wrote to memory of 2368	2896	rundll32.exe	32
PID 2896 wrote to memory of 2368	2896	rundll32.exe	32
PID 2896 wrote to memory of 2368	2896	rundll32.exe	32
PID 2896 wrote to memory of 2368	2896	rundll32.exe	32
PID 2368 wrote to memory of 2744	2368	mssecsvr.exe	34
PID 2368 wrote to memory of 2744	2368	mssecsvr.exe	34
PID 2368 wrote to memory of 2744	2368	mssecsvr.exe	34
PID 2368 wrote to memory of 2744	2368	mssecsvr.exe	34
PID 2368 wrote to memory of 2744	2368	mssecsvr.exe	34
PID 2368 wrote to memory of 2744	2368	mssecsvr.exe	34
PID 2368 wrote to memory of 2744	2368	mssecsvr.exe	34
PID 2744 wrote to memory of 2904	2744	tasksche.exe	35
PID 2744 wrote to memory of 2904	2744	tasksche.exe	35
PID 2744 wrote to memory of 2904	2744	tasksche.exe	35
PID 2744 wrote to memory of 2904	2744	tasksche.exe	35
PID 2744 wrote to memory of 2904	2744	tasksche.exe	35
PID 2744 wrote to memory of 2904	2744	tasksche.exe	35
PID 2744 wrote to memory of 2904	2744	tasksche.exe	35

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39c0d2054ef98167adca72deaa0ece1e0cb376180b651bb4c4808c938860c01aN.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\39c0d2054ef98167adca72deaa0ece1e0cb376180b651bb4c4808c938860c01aN.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 224
        5⤵
        Program crash
        
        PID:2904

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
bf3b022a7a414517112a4df71fa5c294

SHA1
2d16062df97fd55746e35dbc4de486479aa77b66

SHA256
0459a4b1cbcd106fe2a83148a16d5db58591f205c48e5d0302839abec16061ed

SHA512
d456cf4d32efe0e677dda2d155606d434f32f9c090a33baa2657b25eda8a5c8d8c77e6294d313e41f208420ccf6b938aec358443144490676e32bcac2a665a38

Download Submit
C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
58bd8d9b59cfcb28006d6201bcc812c4

SHA1
d378511c5dd28e8b47b0f6dab7e83d3c4e5a79f4

SHA256
80a8466d60f37bac0b0157803a424060cf09553d0e65f73f1b291026fd889b24

SHA512
d834899670f61a314af753d3d235a1d2e89ad522f5d0646cef4533edef84e8f132a77ed244ed0868ca206f530fd1cd4774f25b075da6708a9ae849a62ecad70f

Download Submit

Analysis

Sharing