wannacry | c0af5be3062f93921ab7dfa8544c5b4b35c65cfbe56b0e1fb2234db8d1446a69

General

Target

c0af5be3062f93921ab7dfa8544c5b4b35c65cfbe56b0e1fb2234db8d1446a69.dll
Size

5.0MB
MD5

cfc424c730afcd48b93cbd3afddc16fc
SHA1

66b680cdcc9ce5189a6924411a7fe997bddd9263
SHA256

c0af5be3062f93921ab7dfa8544c5b4b35c65cfbe56b0e1fb2234db8d1446a69
SHA512

2063913f92bb3264dbc2d0a29625efaad098eef67b4ab1a1cfb2038cfc34510fc4cc8167c955cd79aac724e7c5be13f74321536439302242d838934a21d22d95
SSDEEP

98304:v8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:v8qPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1228	mssecsvc.exe
3032	mssecsvc.exe
2556	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2860	3012	rundll32.exe	30
PID 3012 wrote to memory of 2860	3012	rundll32.exe	30
PID 3012 wrote to memory of 2860	3012	rundll32.exe	30
PID 3012 wrote to memory of 2860	3012	rundll32.exe	30
PID 3012 wrote to memory of 2860	3012	rundll32.exe	30
PID 3012 wrote to memory of 2860	3012	rundll32.exe	30
PID 3012 wrote to memory of 2860	3012	rundll32.exe	30
PID 2860 wrote to memory of 1228	2860	rundll32.exe	31
PID 2860 wrote to memory of 1228	2860	rundll32.exe	31
PID 2860 wrote to memory of 1228	2860	rundll32.exe	31
PID 2860 wrote to memory of 1228	2860	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0af5be3062f93921ab7dfa8544c5b4b35c65cfbe56b0e1fb2234db8d1446a69.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0af5be3062f93921ab7dfa8544c5b4b35c65cfbe56b0e1fb2234db8d1446a69.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1228
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2556

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
04e178c7502ad997c41e30001cded555

SHA1
f85774da6bdb1eaf9de0cfa91ac2b4b03ab651b6

SHA256
662d30224000c8a784d6442df41db94357779f6ba044f6c4f64f7554c768c8a4

SHA512
9185fc0a76e98b0f75d1ea8c001b549c7386eecc6e0a8790a5d2a9f4af15df1bd6d3ea011806f6537b806b20f21d6c7b59368fa7ff0719177b57d291ceb85722

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/1228-8-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/1228-15-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/2860-7-0x0000000001EC0000-0x0000000002532000-memory.dmp

Filesize
6.4MB

Download
memory/3032-9-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/3032-16-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing