wannacry | edd1fbcf42000838a7cb6bc32d4f41d8c2f894c0e749f0239b238d0432d0bf92

Analysis

Target

WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Size

5.0MB
MD5

01bdc6fb077098f4a3b60f4b0e479a7f
SHA1

61acc362327a7df8f7672b905c62414f769beb61
SHA256

35c0e0c0e70565cfdc78ac708e122c2f65059ea337216418d674a343da90927e
SHA512

1c1adcf76854c615cd80ff489845c3261ff3de5f6dd1374527cdd5e00ecb0510a4a03df554f4299dd786d8d3abc6a3f7ad9ecda3cfed6e19b00c6cf30321bab5

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

4176 mssecsvr.exe
652 mssecsvr.exe

pid	process
4176	mssecsvr.exe
652	mssecsvr.exe

Drops file in System32 directory 7 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\CVGZQE6I.cookie	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\CVGZQE6I.cookie	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvr.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvr.exe
File created C:\WINDOWS\mssecsvr.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 720 wrote to memory of 3232	720	rundll32.exe	rundll32.exe
PID 720 wrote to memory of 3232	720	rundll32.exe	rundll32.exe
PID 720 wrote to memory of 3232	720	rundll32.exe	rundll32.exe
PID 3232 wrote to memory of 4176	3232	rundll32.exe	mssecsvr.exe
PID 3232 wrote to memory of 4176	3232	rundll32.exe	mssecsvr.exe
PID 3232 wrote to memory of 4176	3232	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\WINDOWS\mssecsvr.exe
MD5
ad8aa6668838b6d869f81fb289b636b1

SHA1
cc3643cd70f59854e492369b7e580a298fb7ad31

SHA256
46988f6a24d131166de061d95bad9ab9de3a53ab0286e7c9cb39333eaea562f7

SHA512
1bf2b56ba5a84a0232d80855e9df52e844eb751fc5953d09fce9263648ecc62a580fd4bf72890e0d1528c008547596ad91376a8a25b65dddaabb6a2708a6da44

Download Submit
C:\Windows\mssecsvr.exe
MD5
ad8aa6668838b6d869f81fb289b636b1

SHA1
cc3643cd70f59854e492369b7e580a298fb7ad31

SHA256
46988f6a24d131166de061d95bad9ab9de3a53ab0286e7c9cb39333eaea562f7

SHA512
1bf2b56ba5a84a0232d80855e9df52e844eb751fc5953d09fce9263648ecc62a580fd4bf72890e0d1528c008547596ad91376a8a25b65dddaabb6a2708a6da44

Download Submit
C:\Windows\mssecsvr.exe
MD5
ad8aa6668838b6d869f81fb289b636b1

SHA1
cc3643cd70f59854e492369b7e580a298fb7ad31

SHA256
46988f6a24d131166de061d95bad9ab9de3a53ab0286e7c9cb39333eaea562f7

SHA512
1bf2b56ba5a84a0232d80855e9df52e844eb751fc5953d09fce9263648ecc62a580fd4bf72890e0d1528c008547596ad91376a8a25b65dddaabb6a2708a6da44

Download Submit
memory/3232-2-0x0000000000000000-mapping.dmp

Download
memory/4176-3-0x0000000000000000-mapping.dmp

Download