wannacry | fb2ddd079c9ea48c32edc702707a2e117e076a09196deec14f3eb9bb7492d619

General

Target

7c7262d9e49a40a52d0040942810456c.dll
Size

5.0MB
MD5

7c7262d9e49a40a52d0040942810456c
SHA1

11f1d0fc532dd8ac926e4ecbae734a484bccb54c
SHA256

fb2ddd079c9ea48c32edc702707a2e117e076a09196deec14f3eb9bb7492d619
SHA512

36ecf7c53affcbf2aaf4bd6455ad230c3f1271ab2f82036c8b557144f85724e1f8921a3e658c8076c980fcbce5224d093b7a5960d6d6671218da8e5167f877f2
SSDEEP

49152:RnpENbcBVQej/1INRx+TSqTdX1HkQo6SAgqG:1p+oBhz1aRxcSUDk36SAgH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3166) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2364	mssecsvr.exe
2004	mssecsvr.exe
2304	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KUMWQDF6.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\KUMWQDF6.txt	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\O1RXUAKV.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\O1RXUAKV.txt	mssecsvr.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259501142	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}\WpadDecisionTime = 507c54086567db01	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}\d6-e1-6f-32-12-58	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e1-6f-32-12-58	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e1-6f-32-12-58\WpadDecisionTime = 507c54086567db01	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e1-6f-32-12-58\WpadDecision = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9384D65-AB08-4757-A8C9-11D9498AE428}\WpadNetworkName = "Network 3"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-e1-6f-32-12-58\WpadDecisionReason = "1"	mssecsvr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2304	tasksche.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1128	1736	rundll32.exe	30
PID 1736 wrote to memory of 1128	1736	rundll32.exe	30
PID 1736 wrote to memory of 1128	1736	rundll32.exe	30
PID 1736 wrote to memory of 1128	1736	rundll32.exe	30
PID 1736 wrote to memory of 1128	1736	rundll32.exe	30
PID 1736 wrote to memory of 1128	1736	rundll32.exe	30
PID 1736 wrote to memory of 1128	1736	rundll32.exe	30
PID 1128 wrote to memory of 2364	1128	rundll32.exe	31
PID 1128 wrote to memory of 2364	1128	rundll32.exe	31
PID 1128 wrote to memory of 2364	1128	rundll32.exe	31
PID 1128 wrote to memory of 2364	1128	rundll32.exe	31
PID 2364 wrote to memory of 2304	2364	mssecsvr.exe	33
PID 2364 wrote to memory of 2304	2364	mssecsvr.exe	33
PID 2364 wrote to memory of 2304	2364	mssecsvr.exe	33
PID 2364 wrote to memory of 2304	2364	mssecsvr.exe	33
PID 2364 wrote to memory of 2304	2364	mssecsvr.exe	33
PID 2364 wrote to memory of 2304	2364	mssecsvr.exe	33
PID 2364 wrote to memory of 2304	2364	mssecsvr.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c7262d9e49a40a52d0040942810456c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c7262d9e49a40a52d0040942810456c.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2304

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\tasksche.exe

Filesize
2.0MB

MD5
97fe88aae55e849dce84bb3a105633d0

SHA1
8b70f9988f52b48e6c5997820215793ac31ade8f

SHA256
5374f0ace1103f63611d466af63c662a32f38f978358084aa763b39dccd83d2b

SHA512
5edf54319fbdf72783327de3e6702d2daf2ecc2997a9677939135e806bdaad1ea60c9d08dc8341b427832d704f1d232e66c159e11ebd63ef846bb966ccaa1127

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
a0a9d89096902bd94346342034c5101b

SHA1
0c4684c974a521cc2df6c9d654782142ca111cc3

SHA256
b2964fc76f83f1d7ac04a95995e2e04c4126a3026d09961232ff605144b8f175

SHA512
97bafcf6d0e1682fddc0723ffa7beba51bc241420ce06275c78e5427bad779426db1295c33e3f498d93d9fc5a9f45f290386e228a77db4ae8958e3f86b4c657c

Download Submit

Analysis

Sharing