Overview
overview
10Static
static
10WannaCry/H...c1.dll
windows7_x64
1WannaCry/H...c1.dll
windows10_x64
1WannaCry/H...81.dll
windows7_x64
10WannaCry/H...81.dll
windows10_x64
10WannaCry/T...7f.dll
windows7_x64
10WannaCry/T...7f.dll
windows10_x64
10WannaCry/T...71.dll
windows7_x64
10WannaCry/T...71.dll
windows10_x64
10WannaCry/T...02.dll
windows7_x64
10WannaCry/T...02.dll
windows10_x64
10WannaCry/T...2f.dll
windows7_x64
10WannaCry/T...2f.dll
windows10_x64
10WannaCry/T...a6.dll
windows7_x64
10WannaCry/T...a6.dll
windows10_x64
10WannaCry/T...3f.dll
windows7_x64
10WannaCry/T...3f.dll
windows10_x64
10WannaCry/T...66.dll
windows7_x64
10WannaCry/T...66.dll
windows10_x64
10WannaCry/T...ba.dll
windows7_x64
10WannaCry/T...ba.dll
windows10_x64
10WannaCry/T...37.dll
windows7_x64
WannaCry/T...37.dll
windows10_x64
10WannaCry/T...10.dll
windows7_x64
10WannaCry/T...10.dll
windows10_x64
10WannaCry/T...f2.dll
windows7_x64
10WannaCry/T...f2.dll
windows10_x64
10WannaCry/T...af.dll
windows7_x64
10WannaCry/T...af.dll
windows10_x64
10WannaCry/T...40.dll
windows7_x64
10WannaCry/T...40.dll
windows10_x64
10WannaCry/T...81.dll
windows7_x64
10WannaCry/T...81.dll
windows10_x64
10Analysis
-
max time kernel
162s -
max time network
199s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-12-2020 20:16
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
Resource
win7v20201028
Behavioral task
behavioral12
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
Resource
win10v20201028
Behavioral task
behavioral13
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
Resource
win10v20201028
Behavioral task
behavioral15
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Resource
win7v20201028
Behavioral task
behavioral16
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066.dll
Resource
win7v20201028
Behavioral task
behavioral18
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066.dll
Resource
win10v20201028
Behavioral task
behavioral19
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba.dll
Resource
win7v20201028
Behavioral task
behavioral20
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba.dll
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Resource
win7v20201028
Behavioral task
behavioral22
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Resource
win10v20201028
Behavioral task
behavioral23
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010.dll
Resource
win7v20201028
Behavioral task
behavioral24
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010.dll
Resource
win10v20201028
Behavioral task
behavioral25
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Resource
win7v20201028
Behavioral task
behavioral26
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Resource
win10v20201028
Behavioral task
behavioral27
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Resource
win7v20201028
Behavioral task
behavioral28
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Resource
win10v20201028
Behavioral task
behavioral29
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440.dll
Resource
win7v20201028
Behavioral task
behavioral30
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440.dll
Resource
win10v20201028
Behavioral task
behavioral31
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881.dll
Resource
win7v20201028
Behavioral task
behavioral32
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881.dll
Resource
win10v20201028
General
-
Target
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
-
Size
5.0MB
-
MD5
0ab9a60a55cb40fc338e8f4988feee2f
-
SHA1
40b02f6f1d79200e8c2cca3123f08994b06cc0cf
-
SHA256
8fb8affd012c7c103942c3c544ca7a2e31375428bb6cd17fbd49a6be08e47103
-
SHA512
ccf39f7923768037e823a5f3ddfc0895bb244c35a39d5199cbcd6a830e1544c56e3aa322cf7ede0fa8332ce6925a01755c9e1606dddb308c5e6f63b855e2ae11
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 1444 mssecsvr.exe 1324 mssecsvr.exe 1112 tasksche.exe -
Drops file in System32 directory 3 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\HIDH994I.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\HIDH994I.txt mssecsvr.exe -
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exemssecsvr.exetasksche.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_259319198 tasksche.exe File created C:\Windows\eee.exe tasksche.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07004f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD} mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30c7e122c4dbd601 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 30c7e122c4dbd601 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 mssecsvr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
tasksche.exepid process 1112 tasksche.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
rundll32.exerundll32.exemssecsvr.exedescription pid process target process PID 908 wrote to memory of 1092 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1092 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1092 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1092 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1092 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1092 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1092 908 rundll32.exe rundll32.exe PID 1092 wrote to memory of 1444 1092 rundll32.exe mssecsvr.exe PID 1092 wrote to memory of 1444 1092 rundll32.exe mssecsvr.exe PID 1092 wrote to memory of 1444 1092 rundll32.exe mssecsvr.exe PID 1092 wrote to memory of 1444 1092 rundll32.exe mssecsvr.exe PID 1444 wrote to memory of 1112 1444 mssecsvr.exe tasksche.exe PID 1444 wrote to memory of 1112 1444 mssecsvr.exe tasksche.exe PID 1444 wrote to memory of 1112 1444 mssecsvr.exe tasksche.exe PID 1444 wrote to memory of 1112 1444 mssecsvr.exe tasksche.exe PID 1444 wrote to memory of 1112 1444 mssecsvr.exe tasksche.exe PID 1444 wrote to memory of 1112 1444 mssecsvr.exe tasksche.exe PID 1444 wrote to memory of 1112 1444 mssecsvr.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeMD5
008fb2d2f5c1d480ffd43ef2fa6d4f72
SHA1af3a66bfa2cda83a0f4acefd964fa11b7ec5e2b5
SHA25681e753d746d1417b626231657927a446c1406d2fccb6c8d0280780d5e2f50bc7
SHA512935953ec5481c19f6b2bb353c3094a76a855492060260ccbe8b6845dface74a9bac77babad91c21ef42f5e91aa6c84e18558e1ea0c35f44bc309bfd4924288ab
-
C:\WINDOWS\tasksche.exeMD5
eb4724c29cd3801e5bd42eec4acdfbc7
SHA103a963f396386306988faf1fd79065356b8d951d
SHA256d902478012c72485b63542edcfb1f6cc37b1d7f26ebf16fb2c29ed3fa50f7fc9
SHA512180ea372a2fafbca2d55856dc57252d33a744ce274582c7f1c4aa9a27e9333c5ecc8ef895ace001f1cbc09ee03c4beef79b2537aea9b3e3f6aa0f1f722bbbad4
-
C:\Windows\mssecsvr.exeMD5
008fb2d2f5c1d480ffd43ef2fa6d4f72
SHA1af3a66bfa2cda83a0f4acefd964fa11b7ec5e2b5
SHA25681e753d746d1417b626231657927a446c1406d2fccb6c8d0280780d5e2f50bc7
SHA512935953ec5481c19f6b2bb353c3094a76a855492060260ccbe8b6845dface74a9bac77babad91c21ef42f5e91aa6c84e18558e1ea0c35f44bc309bfd4924288ab
-
C:\Windows\mssecsvr.exeMD5
008fb2d2f5c1d480ffd43ef2fa6d4f72
SHA1af3a66bfa2cda83a0f4acefd964fa11b7ec5e2b5
SHA25681e753d746d1417b626231657927a446c1406d2fccb6c8d0280780d5e2f50bc7
SHA512935953ec5481c19f6b2bb353c3094a76a855492060260ccbe8b6845dface74a9bac77babad91c21ef42f5e91aa6c84e18558e1ea0c35f44bc309bfd4924288ab
-
C:\Windows\tasksche.exeMD5
eb4724c29cd3801e5bd42eec4acdfbc7
SHA103a963f396386306988faf1fd79065356b8d951d
SHA256d902478012c72485b63542edcfb1f6cc37b1d7f26ebf16fb2c29ed3fa50f7fc9
SHA512180ea372a2fafbca2d55856dc57252d33a744ce274582c7f1c4aa9a27e9333c5ecc8ef895ace001f1cbc09ee03c4beef79b2537aea9b3e3f6aa0f1f722bbbad4
-
memory/1092-2-0x0000000000000000-mapping.dmp
-
memory/1112-8-0x0000000000000000-mapping.dmp
-
memory/1444-3-0x0000000000000000-mapping.dmp
-
memory/2000-5-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmpFilesize
2.5MB