Overview
overview
10Static
static
10WannaCry/H...c1.dll
windows7_x64
1WannaCry/H...c1.dll
windows10_x64
1WannaCry/H...81.dll
windows7_x64
10WannaCry/H...81.dll
windows10_x64
10WannaCry/T...7f.dll
windows7_x64
10WannaCry/T...7f.dll
windows10_x64
10WannaCry/T...71.dll
windows7_x64
10WannaCry/T...71.dll
windows10_x64
10WannaCry/T...02.dll
windows7_x64
10WannaCry/T...02.dll
windows10_x64
10WannaCry/T...2f.dll
windows7_x64
10WannaCry/T...2f.dll
windows10_x64
10WannaCry/T...a6.dll
windows7_x64
10WannaCry/T...a6.dll
windows10_x64
10WannaCry/T...3f.dll
windows7_x64
10WannaCry/T...3f.dll
windows10_x64
10WannaCry/T...66.dll
windows7_x64
10WannaCry/T...66.dll
windows10_x64
10WannaCry/T...ba.dll
windows7_x64
10WannaCry/T...ba.dll
windows10_x64
10WannaCry/T...37.dll
windows7_x64
WannaCry/T...37.dll
windows10_x64
10WannaCry/T...10.dll
windows7_x64
10WannaCry/T...10.dll
windows10_x64
10WannaCry/T...f2.dll
windows7_x64
10WannaCry/T...f2.dll
windows10_x64
10WannaCry/T...af.dll
windows7_x64
10WannaCry/T...af.dll
windows10_x64
10WannaCry/T...40.dll
windows7_x64
10WannaCry/T...40.dll
windows10_x64
10WannaCry/T...81.dll
windows7_x64
10WannaCry/T...81.dll
windows10_x64
10Analysis
-
max time kernel
173s -
max time network
219s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-12-2020 20:16
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
Resource
win7v20201028
Behavioral task
behavioral12
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
Resource
win10v20201028
Behavioral task
behavioral13
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
Resource
win10v20201028
Behavioral task
behavioral15
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Resource
win7v20201028
Behavioral task
behavioral16
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066.dll
Resource
win7v20201028
Behavioral task
behavioral18
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066.dll
Resource
win10v20201028
Behavioral task
behavioral19
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba.dll
Resource
win7v20201028
Behavioral task
behavioral20
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba.dll
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Resource
win7v20201028
Behavioral task
behavioral22
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Resource
win10v20201028
Behavioral task
behavioral23
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010.dll
Resource
win7v20201028
Behavioral task
behavioral24
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010.dll
Resource
win10v20201028
Behavioral task
behavioral25
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Resource
win7v20201028
Behavioral task
behavioral26
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Resource
win10v20201028
Behavioral task
behavioral27
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Resource
win7v20201028
Behavioral task
behavioral28
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Resource
win10v20201028
Behavioral task
behavioral29
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440.dll
Resource
win7v20201028
Behavioral task
behavioral30
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440.dll
Resource
win10v20201028
Behavioral task
behavioral31
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881.dll
Resource
win7v20201028
Behavioral task
behavioral32
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881.dll
Resource
win10v20201028
General
-
Target
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
-
Size
5.0MB
-
MD5
0d95f3f64e7782ec7acd3a1b76c276a6
-
SHA1
c9301e03c44831417d5afad96921e565577c08cf
-
SHA256
0b352401619b8b6375dd37ba94a8b73526f428631ac12145858a94ce354b5ddc
-
SHA512
2e0c5066169488d18fe4dd4981e90066ddf66ab0aa2dab41aecd0e444e595894bd418ab896503d4b2fbee98f9c13506911561e11f881117a74e9e1017eca6eb0
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 3304 mssecsvr.exe 1324 mssecsvr.exe 3208 tasksche.exe -
Drops file in System32 directory 7 IoCs
Processes:
mssecsvr.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\8382614H.cookie mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\8382614H.cookie mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe -
Drops file in Windows directory 4 IoCs
Processes:
tasksche.exerundll32.exemssecsvr.exedescription ioc process File created C:\Windows\eee.exe tasksche.exe File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_259364671 tasksche.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvr.exedescription pid process target process PID 1012 wrote to memory of 752 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 752 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 752 1012 rundll32.exe rundll32.exe PID 752 wrote to memory of 3304 752 rundll32.exe mssecsvr.exe PID 752 wrote to memory of 3304 752 rundll32.exe mssecsvr.exe PID 752 wrote to memory of 3304 752 rundll32.exe mssecsvr.exe PID 3304 wrote to memory of 3208 3304 mssecsvr.exe tasksche.exe PID 3304 wrote to memory of 3208 3304 mssecsvr.exe tasksche.exe PID 3304 wrote to memory of 3208 3304 mssecsvr.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeMD5
be31aaec48f653b49a4ef8d9f4718bac
SHA102d1ec8b78ac096f5f175e1e11c47411b2088f4a
SHA25615fd3b514b40082951c33e3a0b6b1164bd244ca0806162a3ebc61c90ab39d98d
SHA512c3f428639b8008ba06c1a230ec0742f5b06b04f7e0fd7b4770641d9c19b880bcd3f65a45154fa26d2684f052fe014c479a28dc94756142322805679e00d104ad
-
C:\WINDOWS\tasksche.exeMD5
523fced1367557eff377b4795b8f9e83
SHA17caf8700303a20d1836e33ba45bd722207a46c8f
SHA256a82524f5d7849444d4c2228c831205a288863f4d21422e7eac593ae191c32c31
SHA512d0d53dc64c84a112c61381204eade9f8e1890e52aba110b40804b2d373255b7ba5e02f34bb55e3e8727f8a0e524aff1a2780daaa2b16946fcb05ae67e338e3f4
-
C:\Windows\mssecsvr.exeMD5
be31aaec48f653b49a4ef8d9f4718bac
SHA102d1ec8b78ac096f5f175e1e11c47411b2088f4a
SHA25615fd3b514b40082951c33e3a0b6b1164bd244ca0806162a3ebc61c90ab39d98d
SHA512c3f428639b8008ba06c1a230ec0742f5b06b04f7e0fd7b4770641d9c19b880bcd3f65a45154fa26d2684f052fe014c479a28dc94756142322805679e00d104ad
-
C:\Windows\mssecsvr.exeMD5
be31aaec48f653b49a4ef8d9f4718bac
SHA102d1ec8b78ac096f5f175e1e11c47411b2088f4a
SHA25615fd3b514b40082951c33e3a0b6b1164bd244ca0806162a3ebc61c90ab39d98d
SHA512c3f428639b8008ba06c1a230ec0742f5b06b04f7e0fd7b4770641d9c19b880bcd3f65a45154fa26d2684f052fe014c479a28dc94756142322805679e00d104ad
-
C:\Windows\tasksche.exeMD5
523fced1367557eff377b4795b8f9e83
SHA17caf8700303a20d1836e33ba45bd722207a46c8f
SHA256a82524f5d7849444d4c2228c831205a288863f4d21422e7eac593ae191c32c31
SHA512d0d53dc64c84a112c61381204eade9f8e1890e52aba110b40804b2d373255b7ba5e02f34bb55e3e8727f8a0e524aff1a2780daaa2b16946fcb05ae67e338e3f4
-
memory/752-2-0x0000000000000000-mapping.dmp
-
memory/3208-7-0x0000000000000000-mapping.dmp
-
memory/3304-3-0x0000000000000000-mapping.dmp