wannacry | edd1fbcf42000838a7cb6bc32d4f41d8c2f894c0e749f0239b238d0432d0bf92

Analysis

max time kernel
168s
max time network
210s
platform
windows7_x64
resource
win7v20201028
submitted
26-12-2020 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Size

5.0MB
MD5

033f9150e241e7accecb60d849481871
SHA1

09067fd23539df1ece704a92b2dca8e32f20f7c8
SHA256

5013a9fc3766f0c065d44c9f6a6a8c0101811d7df4860dd50cf627a0d28ed007
SHA512

e08d2eb9edacbda6dfc7b2a153eaa7f38fe967876df28230e0cc88d3511d8f867f32314f49e761f402d1ff6f10fb411546ca549d855d9676992788670d512015

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 4 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exemssecsvc.exe

pid process

1048 mssecsvc.exe
1436 mssecsvc.exe
1560 tasksche.exe
1320 mssecsvc.exe

pid	process
1048	mssecsvc.exe
1436	mssecsvc.exe
1560	tasksche.exe
1320	mssecsvc.exe

Drops file in System32 directory 6 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\OP6EAVMT.txt	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\OP6EAVMT.txt	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\K7NRH37L.txt	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\K7NRH37L.txt	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

936 1436 WerFault.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

pid	pid_target	process	target process
936	1436	WerFault.exe	mssecsvc.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 008858aecddbd601	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionTime = 008858aecddbd601	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\32-e2-17-db-d2-77	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadNetworkName = "Network"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 008858aecddbd601	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadNetworkName = "Network"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\32-e2-17-db-d2-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = e08041ddcddbd601	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionTime = e08041ddcddbd601	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

936 WerFault.exe
936 WerFault.exe
936 WerFault.exe
936 WerFault.exe
936 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 936 WerFault.exe

pid	process
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe
936	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	936	WerFault.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1896 wrote to memory of 1944	1896	rundll32.exe	rundll32.exe
PID 1896 wrote to memory of 1944	1896	rundll32.exe	rundll32.exe
PID 1896 wrote to memory of 1944	1896	rundll32.exe	rundll32.exe
PID 1896 wrote to memory of 1944	1896	rundll32.exe	rundll32.exe
PID 1896 wrote to memory of 1944	1896	rundll32.exe	rundll32.exe
PID 1896 wrote to memory of 1944	1896	rundll32.exe	rundll32.exe
PID 1896 wrote to memory of 1944	1896	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 1048	1944	rundll32.exe	mssecsvc.exe
PID 1944 wrote to memory of 1048	1944	rundll32.exe	mssecsvc.exe
PID 1944 wrote to memory of 1048	1944	rundll32.exe	mssecsvc.exe
PID 1944 wrote to memory of 1048	1944	rundll32.exe	mssecsvc.exe
PID 1436 wrote to memory of 936	1436	mssecsvc.exe	WerFault.exe
PID 1436 wrote to memory of 936	1436	mssecsvc.exe	WerFault.exe
PID 1436 wrote to memory of 936	1436	mssecsvc.exe	WerFault.exe
PID 1436 wrote to memory of 936	1436	mssecsvc.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1944

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1048

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1560

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1180
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
272d02d9694b6108ce0cb93be8af8f16

SHA1
6e34070d194e33e9eef908f71e6cc597d3283f5d

SHA256
79f1263d4f4c1c3fcb3698f6ebb2214999e4fc462cc15f5fe9f366c1e44d2bb8

SHA512
62a7fa4c23e00e41cde6f00270eadc4e17c2b3fc40d5b11526c2791a2aab7f42aee637901c80226d6526c9c57c31b764ccf494b1301016b0111e460c6cd5dc75

Download Submit
C:\Windows\mssecsvc.exe
MD5
272d02d9694b6108ce0cb93be8af8f16

SHA1
6e34070d194e33e9eef908f71e6cc597d3283f5d

SHA256
79f1263d4f4c1c3fcb3698f6ebb2214999e4fc462cc15f5fe9f366c1e44d2bb8

SHA512
62a7fa4c23e00e41cde6f00270eadc4e17c2b3fc40d5b11526c2791a2aab7f42aee637901c80226d6526c9c57c31b764ccf494b1301016b0111e460c6cd5dc75

Download Submit
C:\Windows\mssecsvc.exe
MD5
272d02d9694b6108ce0cb93be8af8f16

SHA1
6e34070d194e33e9eef908f71e6cc597d3283f5d

SHA256
79f1263d4f4c1c3fcb3698f6ebb2214999e4fc462cc15f5fe9f366c1e44d2bb8

SHA512
62a7fa4c23e00e41cde6f00270eadc4e17c2b3fc40d5b11526c2791a2aab7f42aee637901c80226d6526c9c57c31b764ccf494b1301016b0111e460c6cd5dc75

Download Submit
C:\Windows\mssecsvc.exe
MD5
272d02d9694b6108ce0cb93be8af8f16

SHA1
6e34070d194e33e9eef908f71e6cc597d3283f5d

SHA256
79f1263d4f4c1c3fcb3698f6ebb2214999e4fc462cc15f5fe9f366c1e44d2bb8

SHA512
62a7fa4c23e00e41cde6f00270eadc4e17c2b3fc40d5b11526c2791a2aab7f42aee637901c80226d6526c9c57c31b764ccf494b1301016b0111e460c6cd5dc75

Download Submit
C:\Windows\tasksche.exe
MD5
c88722ef42a6ee08cbed91406ea5c0e5

SHA1
643960f48a68ba0778621871f37389215642c423

SHA256
efbc1542b29b798dbbeeb531bbb4b84d422843f9c66d3aff9f301ab9296d8b4c

SHA512
5381f40e08c425f96cc8fe2c3e76c4440d39773889e5d137111441805b1786df5f5b38ed60c9461243f8fcb8078d68174c066695ab9b15a96ba5f6a348950f18

Download Submit
memory/936-9-0x0000000000000000-mapping.dmp

Download
memory/936-10-0x0000000000BA0000-0x0000000000BB1000-memory.dmp

Filesize
68KB

Download
memory/936-11-0x0000000000BA0000-0x0000000000BB1000-memory.dmp

Filesize
68KB

Download
memory/1048-3-0x0000000000000000-mapping.dmp

Download
memory/1744-5-0x000007FEF81B0000-0x000007FEF842A000-memory.dmp

Filesize
2.5MB

Download
memory/1944-2-0x0000000000000000-mapping.dmp

Download