wannacry | 55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3

General

Target

Win32.Wannacry.dll
Size

5.0MB
MD5

30fe2f9a048d7a734c8d9233f64810ba
SHA1

2027a053de21bd5c783c3f823ed1d36966780ed4
SHA256

55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3
SHA512

b657b02506f768db3255293b0c86452b4dfdd30804629c323aaa9510a3b637b0906e5963179ef7d4aaedc14646f2be2b4292e6584a6c55c6ddb596cff7f20e2a
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE is not expected to spawn this process	2172	2748	CLVIEW.EXE	36

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3319) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
344	mssecsvc.exe
1040	mssecsvc.exe
2060	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CLVIEW.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	CLVIEW.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CLVIEW.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CLVIEW.EXE

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FD802C9B-BF64-4D70-8A55-0E5E4C2AB66C}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FD802C9B-BF64-4D70-8A55-0E5E4C2AB66C}\WpadDecisionTime = 705139973f56db01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-ba-5d-cf-34-d8\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0173000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FD802C9B-BF64-4D70-8A55-0E5E4C2AB66C}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FD802C9B-BF64-4D70-8A55-0E5E4C2AB66C}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-ba-5d-cf-34-d8\WpadDecisionTime = 705139973f56db01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FD802C9B-BF64-4D70-8A55-0E5E4C2AB66C}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-ba-5d-cf-34-d8	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FD802C9B-BF64-4D70-8A55-0E5E4C2AB66C}\a6-ba-5d-cf-34-d8	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-ba-5d-cf-34-d8\WpadDecision = "0"	mssecsvc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2748	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2748	POWERPNT.EXE
2172	CLVIEW.EXE
2172	CLVIEW.EXE
2172	CLVIEW.EXE
2172	CLVIEW.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1740	2556	rundll32.exe	30
PID 2556 wrote to memory of 1740	2556	rundll32.exe	30
PID 2556 wrote to memory of 1740	2556	rundll32.exe	30
PID 2556 wrote to memory of 1740	2556	rundll32.exe	30
PID 2556 wrote to memory of 1740	2556	rundll32.exe	30
PID 2556 wrote to memory of 1740	2556	rundll32.exe	30
PID 2556 wrote to memory of 1740	2556	rundll32.exe	30
PID 1740 wrote to memory of 344	1740	rundll32.exe	31
PID 1740 wrote to memory of 344	1740	rundll32.exe	31
PID 1740 wrote to memory of 344	1740	rundll32.exe	31
PID 1740 wrote to memory of 344	1740	rundll32.exe	31
PID 2748 wrote to memory of 2876	2748	POWERPNT.EXE	37
PID 2748 wrote to memory of 2876	2748	POWERPNT.EXE	37
PID 2748 wrote to memory of 2876	2748	POWERPNT.EXE	37
PID 2748 wrote to memory of 2876	2748	POWERPNT.EXE	37
PID 2748 wrote to memory of 2172	2748	POWERPNT.EXE	38
PID 2748 wrote to memory of 2172	2748	POWERPNT.EXE	38
PID 2748 wrote to memory of 2172	2748	POWERPNT.EXE	38
PID 2748 wrote to memory of 2172	2748	POWERPNT.EXE	38

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Win32.Wannacry.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Win32.Wannacry.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:344
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2060

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1040

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\StartInstall.pps"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE" "POWERPNT" "Microsoft PowerPoint"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MsOfficeHelp14\MOH1151.tmp\ClientViewerSettings.xml

Filesize
7KB

MD5
88fbdbf0b8ed30038abb141e26ad42b6

SHA1
e867446eeef83f11ec0b9c3fee7499442923d9a3

SHA256
63a2227b104139265e9d2f43e5e4c8c61aabcd92ffee838fbbe18e987e911c68

SHA512
e3924be97958268b1ed49e396965b901121ac4c1c04e8fbc209517b00c9f2de386c821703e31a7d85383055f381a0191a59f0aad159b94e5071a81325eb4d25d

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
90a1e06d78737b9a87e8ea42f76e2544

SHA1
785ddf8bd3add2da415cbc7c39aab7eb21407d20

SHA256
e1bee0f7a7cd0ac8659033d9e67bfc83ae03843ed30dff8ca590f916604a6de7

SHA512
40ee623eb975b3890d3e8260e76963d078a7734c040d4151fa0cf11fd6e2421f5ea609f67922a51c6df7a09f077087361586d5f40208bc97ee70531e2a3df5be

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
0df2ae526d7350c2e3d1383c07a6be04

SHA1
06c4d41c60736ea1e0bb1b095536499e05068442

SHA256
10111f53da4181d548ea77cc91f02a15b9ede3f111f074230761f2afee7cd637

SHA512
9ca1ca36dcefdb1eba3152bc2d14c9dceb3360960338d13db5f8a02327aef80cb0ab238c2c1f3d2dbd7fd75124d4199b5cd63f173a09a0dea212ebb265f8453d

Download Submit
memory/2172-120-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2748-12-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing