wannacry | edd1fbcf42000838a7cb6bc32d4f41d8c2f894c0e749f0239b238d0432d0bf92

Analysis

max time kernel
75s
max time network
181s
platform
windows7_x64
resource
win7v20201028
submitted
26-12-2020 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Size

5.0MB
MD5

29a9dd686f08aacddacc43a0c57215f2
SHA1

3ed8902c24568adafc3ac35d9b4c92ba02406e8c
SHA256

02e4a7ebf81840f41a3c8b5e330a37977b7783120ed12deca77d30825266810d
SHA512

28234611882e8facdb6feb0072d72d4c8790d57a2b5eba33074f914a0a04ee4d95f50a4c9038c04526db37b5678e5d53363fb3f0ea168e13d948aa950e0fc4d4

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

1976 mssecsvr.exe
332 mssecsvr.exe

pid	process
1976	mssecsvr.exe
332	mssecsvr.exe

Drops file in System32 directory 3 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Z4U8H15O.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Z4U8H15O.txt	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1548 332 WerFault.exe mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

pid	pid_target	process	target process
1548	332	WerFault.exe	mssecsvr.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = c040561dc4dbd601	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070059000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = c040561dc4dbd601	mssecsvr.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe
1548 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1548 WerFault.exe

pid	process
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1548	WerFault.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exe

description	pid	process	target process
PID 1652 wrote to memory of 1468	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1468	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1468	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1468	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1468	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1468	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1468	1652	rundll32.exe	rundll32.exe
PID 1468 wrote to memory of 1976	1468	rundll32.exe	mssecsvr.exe
PID 1468 wrote to memory of 1976	1468	rundll32.exe	mssecsvr.exe
PID 1468 wrote to memory of 1976	1468	rundll32.exe	mssecsvr.exe
PID 1468 wrote to memory of 1976	1468	rundll32.exe	mssecsvr.exe
PID 332 wrote to memory of 1548	332	mssecsvr.exe	WerFault.exe
PID 332 wrote to memory of 1548	332	mssecsvr.exe	WerFault.exe
PID 332 wrote to memory of 1548	332	mssecsvr.exe	WerFault.exe
PID 332 wrote to memory of 1548	332	mssecsvr.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1468

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1976

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 544
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
MD5
b304073942fba0ddb2c4e201e6a56afe

SHA1
3d11a91ce696461e97b21a138bed49004861df83

SHA256
b8a9a06be3f08243eb994503369be36ed71701b28c07dd98d84ed8f434de0a6d

SHA512
d02d8eeecad65b2a118098373b2eda96de9d4c061cfda3aaccda91b272ab9b8b6de24b3a99cc4d7c61a34c879af5a3df08f6ce618441f9f27433eadccee9b088

Download Submit
C:\Windows\mssecsvr.exe
MD5
b304073942fba0ddb2c4e201e6a56afe

SHA1
3d11a91ce696461e97b21a138bed49004861df83

SHA256
b8a9a06be3f08243eb994503369be36ed71701b28c07dd98d84ed8f434de0a6d

SHA512
d02d8eeecad65b2a118098373b2eda96de9d4c061cfda3aaccda91b272ab9b8b6de24b3a99cc4d7c61a34c879af5a3df08f6ce618441f9f27433eadccee9b088

Download Submit
C:\Windows\mssecsvr.exe
MD5
b304073942fba0ddb2c4e201e6a56afe

SHA1
3d11a91ce696461e97b21a138bed49004861df83

SHA256
b8a9a06be3f08243eb994503369be36ed71701b28c07dd98d84ed8f434de0a6d

SHA512
d02d8eeecad65b2a118098373b2eda96de9d4c061cfda3aaccda91b272ab9b8b6de24b3a99cc4d7c61a34c879af5a3df08f6ce618441f9f27433eadccee9b088

Download Submit
memory/1468-2-0x0000000000000000-mapping.dmp

Download
memory/1548-8-0x0000000000000000-mapping.dmp

Download
memory/1548-9-0x0000000000830000-0x0000000000841000-memory.dmp

Filesize
68KB

Download
memory/1548-10-0x0000000000830000-0x0000000000841000-memory.dmp

Filesize
68KB

Download
memory/1728-5-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmp

Filesize
2.5MB

Download
memory/1976-3-0x0000000000000000-mapping.dmp

Download