wannacry | edd1fbcf42000838a7cb6bc32d4f41d8c2f894c0e749f0239b238d0432d0bf92

Analysis

Target

WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Size

5.0MB
MD5

2a13081acf353142a3e792683520cfaf
SHA1

9ced5f6260a5b508a6226693936a7d8f2308db27
SHA256

4c44d1c79e5f6f15d7dd3416f79e4fadb669c32615ab234767b506a8116e44f0
SHA512

ab9cee7fa2c4ee3a58031a82ea275c13d72a0399c2cc889170715e334cff8760be7fd8ee90a77128cdacbf4c6f3538f391f5c9d595653be24cfa0dacb947a210

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

632 mssecsvc.exe
1352 mssecsvc.exe
2552 tasksche.exe

Drops file in System32 directory 7 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\O3HJ16RO.cookie	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\O3HJ16RO.cookie	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3588 wrote to memory of 3584	3588	rundll32.exe	rundll32.exe
PID 3588 wrote to memory of 3584	3588	rundll32.exe	rundll32.exe
PID 3588 wrote to memory of 3584	3588	rundll32.exe	rundll32.exe
PID 3584 wrote to memory of 632	3584	rundll32.exe	mssecsvc.exe
PID 3584 wrote to memory of 632	3584	rundll32.exe	mssecsvc.exe
PID 3584 wrote to memory of 632	3584	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2552

C:\WINDOWS\mssecsvc.exe
MD5
2d017fa037d287f94f1441f3d4d829df

SHA1
5229f06ca64a98db0757b190714183ef22af5075

SHA256
f6fac3c066c00e6ced8218011777b37e571112f23e6c66658519b7cccc1e1311

SHA512
5b127b1d6732f8e3e546a314b063f2ecd3e4ad41c5b27fcc7485e505102ea510aa2e45617309801837aa7f8a2a07c8bcc490d0cfca2ededa8b20256a5d8a25a9

Download Submit
C:\Windows\mssecsvc.exe
MD5
2d017fa037d287f94f1441f3d4d829df

SHA1
5229f06ca64a98db0757b190714183ef22af5075

SHA256
f6fac3c066c00e6ced8218011777b37e571112f23e6c66658519b7cccc1e1311

SHA512
5b127b1d6732f8e3e546a314b063f2ecd3e4ad41c5b27fcc7485e505102ea510aa2e45617309801837aa7f8a2a07c8bcc490d0cfca2ededa8b20256a5d8a25a9

Download Submit
C:\Windows\mssecsvc.exe
MD5
2d017fa037d287f94f1441f3d4d829df

SHA1
5229f06ca64a98db0757b190714183ef22af5075

SHA256
f6fac3c066c00e6ced8218011777b37e571112f23e6c66658519b7cccc1e1311

SHA512
5b127b1d6732f8e3e546a314b063f2ecd3e4ad41c5b27fcc7485e505102ea510aa2e45617309801837aa7f8a2a07c8bcc490d0cfca2ededa8b20256a5d8a25a9

Download Submit
C:\Windows\tasksche.exe
MD5
507c3ed8112cb4a3b12b09b7aa484c5d

SHA1
0c133073d2476ccdd3f7e8fa97301d0cc1cfc81c

SHA256
8ad2f1dcc862074a83f4d34bc3653f59374a7375a74e661787c755bc2fe2ea54

SHA512
56adc50ba97e83e324381e952f88825c68145a29f0fe12fc5f7a47d874849d0e953a68c2be658e527394c005cc4850b5e492f781e7a6f44245b3d91b5212662b

Download Submit
memory/632-3-0x0000000000000000-mapping.dmp

Download
memory/3584-2-0x0000000000000000-mapping.dmp

Download