wannacry | 5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e

General

Target

5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e.dll
Size

5.0MB
MD5

6f2a81fa5f34458251c0816159efb6ca
SHA1

7e211a896555b09996bc53f340af713f579dadfa
SHA256

5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e
SHA512

31df3240675d10d15ac4b272a92425b46ffe6ee4d397a5d34179a09318feb61c70642e7ec1df568998b43686c07a2a8312a31981cf51a2f60a21c53bc04cd499

Score

10^/10

ransomware worm wannacry

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 4 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exemssecsvc.exe

pid process

1044 mssecsvc.exe
664 mssecsvc.exe
816 tasksche.exe
1160 mssecsvc.exe

pid	process
1044	mssecsvc.exe
664	mssecsvc.exe
816	tasksche.exe
1160	mssecsvc.exe

Drops file in System32 directory 6 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\7L7WAULT.txt	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\7L7WAULT.txt	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\RAT0S5ZS.txt	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\RAT0S5ZS.txt	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

792 664 WerFault.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

pid	pid_target	process	target process
792	664	WerFault.exe	mssecsvc.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a0700aa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionTime = 40b47b2216a4d601	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a0700aa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\32-e2-17-db-d2-77	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadNetworkName = "Network"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\32-e2-17-db-d2-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 403fe8df15a4d601	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 40b47b2216a4d601	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecisionTime = 403fe8df15a4d601	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 403fe8df15a4d601	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0B3A07F-52FE-4CB4-B180-D347A88145E3}\WpadNetworkName = "Network"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a0700aa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

792 WerFault.exe
792 WerFault.exe
792 WerFault.exe
792 WerFault.exe
792 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 792 WerFault.exe

pid	process
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	792	WerFault.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1332 wrote to memory of 1048	1332	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 1048	1332	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 1048	1332	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 1048	1332	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 1048	1332	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 1048	1332	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 1048	1332	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 1044	1048	rundll32.exe	mssecsvc.exe
PID 1048 wrote to memory of 1044	1048	rundll32.exe	mssecsvc.exe
PID 1048 wrote to memory of 1044	1048	rundll32.exe	mssecsvc.exe
PID 1048 wrote to memory of 1044	1048	rundll32.exe	mssecsvc.exe
PID 664 wrote to memory of 792	664	mssecsvc.exe	WerFault.exe
PID 664 wrote to memory of 792	664	mssecsvc.exe	WerFault.exe
PID 664 wrote to memory of 792	664	mssecsvc.exe	WerFault.exe
PID 664 wrote to memory of 792	664	mssecsvc.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1048

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1044

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:816

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 616
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
aaac4f4442ab7478126d61316c740afe

SHA1
22125cfa3072adc8d1a05859c4f83f445db68a61

SHA256
816adc100114f8fb4cb8abd9566496cec3af255e5ec131c50e50b64d975ecaca

SHA512
acf29483cf37a7104b80f580a3cb21b185258f993c23e097674863dc8a83759839ce5cea21ac160e306aa07f5fbe0dd0878466f5b334dd8002e61918ea26cb9b

Download Submit
C:\Windows\mssecsvc.exe
MD5
aaac4f4442ab7478126d61316c740afe

SHA1
22125cfa3072adc8d1a05859c4f83f445db68a61

SHA256
816adc100114f8fb4cb8abd9566496cec3af255e5ec131c50e50b64d975ecaca

SHA512
acf29483cf37a7104b80f580a3cb21b185258f993c23e097674863dc8a83759839ce5cea21ac160e306aa07f5fbe0dd0878466f5b334dd8002e61918ea26cb9b

Download Submit
C:\Windows\mssecsvc.exe
MD5
aaac4f4442ab7478126d61316c740afe

SHA1
22125cfa3072adc8d1a05859c4f83f445db68a61

SHA256
816adc100114f8fb4cb8abd9566496cec3af255e5ec131c50e50b64d975ecaca

SHA512
acf29483cf37a7104b80f580a3cb21b185258f993c23e097674863dc8a83759839ce5cea21ac160e306aa07f5fbe0dd0878466f5b334dd8002e61918ea26cb9b

Download Submit
C:\Windows\mssecsvc.exe
MD5
aaac4f4442ab7478126d61316c740afe

SHA1
22125cfa3072adc8d1a05859c4f83f445db68a61

SHA256
816adc100114f8fb4cb8abd9566496cec3af255e5ec131c50e50b64d975ecaca

SHA512
acf29483cf37a7104b80f580a3cb21b185258f993c23e097674863dc8a83759839ce5cea21ac160e306aa07f5fbe0dd0878466f5b334dd8002e61918ea26cb9b

Download Submit
C:\Windows\tasksche.exe
MD5
a32d2c5d51aafaa54ae3117db26b72ce

SHA1
e6e0a521f95d78b4897b7e24ca4cf76eac9b6d84

SHA256
011ae0697f87e8b45d3815e15655e3ee86f438f2a03e1e5fae5b424d9aad7603

SHA512
8da0b7bbda1bfb38f9c38c8ee00796ac5415bf1d2f4dd9d6ec69c4c2a2c4f3fdee136550f3a88772d9383513f7585b71cddf74ff68ace8cd8ecc4b8b00342864

Download Submit
memory/792-7-0x0000000000000000-mapping.dmp

Download
memory/792-8-0x0000000000B60000-0x0000000000B71000-memory.dmp

Filesize
68KB

Download
memory/792-9-0x0000000000B60000-0x0000000000B71000-memory.dmp

Filesize
68KB

Download
memory/792-12-0x0000000001360000-0x0000000001371000-memory.dmp

Filesize
68KB

Download
memory/1044-1-0x0000000000000000-mapping.dmp

Download
memory/1048-0-0x0000000000000000-mapping.dmp

Download
memory/1356-3-0x000007FEF83B0000-0x000007FEF862A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads