wannacry | fb2ddd079c9ea48c32edc702707a2e117e076a09196deec14f3eb9bb7492d619

General

Target

fb2ddd079c9ea48c32edc702707a2e117e076a09196deec14f3eb9bb7492d619.dll
Size

5.0MB
MD5

7c7262d9e49a40a52d0040942810456c
SHA1

11f1d0fc532dd8ac926e4ecbae734a484bccb54c
SHA256

fb2ddd079c9ea48c32edc702707a2e117e076a09196deec14f3eb9bb7492d619
SHA512

36ecf7c53affcbf2aaf4bd6455ad230c3f1271ab2f82036c8b557144f85724e1f8921a3e658c8076c980fcbce5224d093b7a5960d6d6671218da8e5167f877f2

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

1944 mssecsvr.exe
1372 mssecsvr.exe
108 tasksche.exe

pid	process
1944	mssecsvr.exe
1372	mssecsvr.exe
108	tasksche.exe

Drops file in System32 directory 3 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\C4KRFCOP.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\C4KRFCOP.txt	mssecsvr.exe

Drops file in Windows directory 4 IoCs

Processes:

rundll32.exemssecsvr.exetasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259308808	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30eb3ee88646d701	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 30eb3ee88646d701	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\32-e2-17-db-d2-77	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tasksche.exe

pid process

108 tasksche.exe

pid	process
108	tasksche.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exe

description	pid	process	target process
PID 1848 wrote to memory of 2024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 2024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 2024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 2024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 2024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 2024	1848	rundll32.exe	rundll32.exe
PID 1848 wrote to memory of 2024	1848	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 1944	2024	rundll32.exe	mssecsvr.exe
PID 2024 wrote to memory of 1944	2024	rundll32.exe	mssecsvr.exe
PID 2024 wrote to memory of 1944	2024	rundll32.exe	mssecsvr.exe
PID 2024 wrote to memory of 1944	2024	rundll32.exe	mssecsvr.exe
PID 1944 wrote to memory of 108	1944	mssecsvr.exe	tasksche.exe
PID 1944 wrote to memory of 108	1944	mssecsvr.exe	tasksche.exe
PID 1944 wrote to memory of 108	1944	mssecsvr.exe	tasksche.exe
PID 1944 wrote to memory of 108	1944	mssecsvr.exe	tasksche.exe
PID 1944 wrote to memory of 108	1944	mssecsvr.exe	tasksche.exe
PID 1944 wrote to memory of 108	1944	mssecsvr.exe	tasksche.exe
PID 1944 wrote to memory of 108	1944	mssecsvr.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb2ddd079c9ea48c32edc702707a2e117e076a09196deec14f3eb9bb7492d619.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb2ddd079c9ea48c32edc702707a2e117e076a09196deec14f3eb9bb7492d619.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1944

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:108

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe
MD5
a0a9d89096902bd94346342034c5101b

SHA1
0c4684c974a521cc2df6c9d654782142ca111cc3

SHA256
b2964fc76f83f1d7ac04a95995e2e04c4126a3026d09961232ff605144b8f175

SHA512
97bafcf6d0e1682fddc0723ffa7beba51bc241420ce06275c78e5427bad779426db1295c33e3f498d93d9fc5a9f45f290386e228a77db4ae8958e3f86b4c657c

Download Submit
C:\WINDOWS\tasksche.exe
MD5
97fe88aae55e849dce84bb3a105633d0

SHA1
8b70f9988f52b48e6c5997820215793ac31ade8f

SHA256
5374f0ace1103f63611d466af63c662a32f38f978358084aa763b39dccd83d2b

SHA512
5edf54319fbdf72783327de3e6702d2daf2ecc2997a9677939135e806bdaad1ea60c9d08dc8341b427832d704f1d232e66c159e11ebd63ef846bb966ccaa1127

Download Submit
C:\Windows\mssecsvr.exe
MD5
a0a9d89096902bd94346342034c5101b

SHA1
0c4684c974a521cc2df6c9d654782142ca111cc3

SHA256
b2964fc76f83f1d7ac04a95995e2e04c4126a3026d09961232ff605144b8f175

SHA512
97bafcf6d0e1682fddc0723ffa7beba51bc241420ce06275c78e5427bad779426db1295c33e3f498d93d9fc5a9f45f290386e228a77db4ae8958e3f86b4c657c

Download Submit
C:\Windows\mssecsvr.exe
MD5
a0a9d89096902bd94346342034c5101b

SHA1
0c4684c974a521cc2df6c9d654782142ca111cc3

SHA256
b2964fc76f83f1d7ac04a95995e2e04c4126a3026d09961232ff605144b8f175

SHA512
97bafcf6d0e1682fddc0723ffa7beba51bc241420ce06275c78e5427bad779426db1295c33e3f498d93d9fc5a9f45f290386e228a77db4ae8958e3f86b4c657c

Download Submit
C:\Windows\tasksche.exe
MD5
97fe88aae55e849dce84bb3a105633d0

SHA1
8b70f9988f52b48e6c5997820215793ac31ade8f

SHA256
5374f0ace1103f63611d466af63c662a32f38f978358084aa763b39dccd83d2b

SHA512
5edf54319fbdf72783327de3e6702d2daf2ecc2997a9677939135e806bdaad1ea60c9d08dc8341b427832d704f1d232e66c159e11ebd63ef846bb966ccaa1127

Download Submit
memory/108-68-0x0000000000000000-mapping.dmp

Download
memory/1944-62-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x0000000000000000-mapping.dmp

Download
memory/2024-61-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads