wannacry | ec2a990e5ceea72eec6128d38e8debedffbe6cac244f7ee5e5e3d58e2ad0b202

General

Target

430599e85618bd750b5bbfb21cb5f857.dll
Size

5.0MB
MD5

430599e85618bd750b5bbfb21cb5f857
SHA1

c9ff0c824d324d6047a31eb07da54ba43a0a8b86
SHA256

ec2a990e5ceea72eec6128d38e8debedffbe6cac244f7ee5e5e3d58e2ad0b202
SHA512

579734a994750f09d3cd6feb1d6e5f2793bce1eca37f65cb4fef50c0c908b18248e143a85cbf3d62bf5d0af1e5a4b48faa94dc3e92846e615215276b9322c1f7
SSDEEP

49152:RnpE/bcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1p4oBhz1aRxcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3305) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2912	mssecsvr.exe
2072	mssecsvr.exe
2196	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Y0S5BN9G.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Y0S5BN9G.txt	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Z2MBEIZF.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Z2MBEIZF.txt	mssecsvr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259428617	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42B21C9F-19A9-428F-8161-A7E3744F218E}\72-18-c8-2e-b8-34	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00dd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42B21C9F-19A9-428F-8161-A7E3744F218E}	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-18-c8-2e-b8-34	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42B21C9F-19A9-428F-8161-A7E3744F218E}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42B21C9F-19A9-428F-8161-A7E3744F218E}\WpadDecisionTime = f06a4580be66db01	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42B21C9F-19A9-428F-8161-A7E3744F218E}\WpadDecision = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42B21C9F-19A9-428F-8161-A7E3744F218E}\WpadNetworkName = "Network 3"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-18-c8-2e-b8-34\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-18-c8-2e-b8-34\WpadDecisionTime = f06a4580be66db01	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-18-c8-2e-b8-34\WpadDecision = "0"	mssecsvr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2196	tasksche.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2900	2848	rundll32.exe	28
PID 2848 wrote to memory of 2900	2848	rundll32.exe	28
PID 2848 wrote to memory of 2900	2848	rundll32.exe	28
PID 2848 wrote to memory of 2900	2848	rundll32.exe	28
PID 2848 wrote to memory of 2900	2848	rundll32.exe	28
PID 2848 wrote to memory of 2900	2848	rundll32.exe	28
PID 2848 wrote to memory of 2900	2848	rundll32.exe	28
PID 2900 wrote to memory of 2912	2900	rundll32.exe	29
PID 2900 wrote to memory of 2912	2900	rundll32.exe	29
PID 2900 wrote to memory of 2912	2900	rundll32.exe	29
PID 2900 wrote to memory of 2912	2900	rundll32.exe	29
PID 2912 wrote to memory of 2196	2912	mssecsvr.exe	31
PID 2912 wrote to memory of 2196	2912	mssecsvr.exe	31
PID 2912 wrote to memory of 2196	2912	mssecsvr.exe	31
PID 2912 wrote to memory of 2196	2912	mssecsvr.exe	31
PID 2912 wrote to memory of 2196	2912	mssecsvr.exe	31
PID 2912 wrote to memory of 2196	2912	mssecsvr.exe	31
PID 2912 wrote to memory of 2196	2912	mssecsvr.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\430599e85618bd750b5bbfb21cb5f857.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\430599e85618bd750b5bbfb21cb5f857.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2196

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\tasksche.exe

Filesize
2.0MB

MD5
1ff321de9e6b8a865048789e18bb4232

SHA1
67a548cf33d086c224058ab30c631c04f5dad29d

SHA256
ead0300a439be8ea26abc28944d1d3eb3b111ba1b3cad76b3b0f00b26dadd97a

SHA512
ab57e6bdce2dd71c49affb8c093384e27d2cec6b4165a0089617098ac30ab00715e0251cc5f96f5710a74215c9eb8804113c177df7deef046d895ac733bba0bc

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
03e8741684a2ea2aa24bad8da574435e

SHA1
9cc3be4e47aa9f1df05c1fdb8d528cfd09b8b88c

SHA256
4128abf9efa8bca93aede9b4a44aab78fab27d634f4c9581c64fa54d3bb8993e

SHA512
ff6d7dcc2242f316e31b073a9f662ad6d7bc7c31c6eedfde75e1b16109a1f8c3c70e1de92ee67db62e0561572d53c118240a3a5ec2004c12ed1d54cc3aa693d5

Download Submit

Analysis

Sharing