wannacry | 6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08

General

Target

6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08.dll
Size

5.0MB
MD5

51b2d63e9620e8cc494f44c9fe856a09
SHA1

4ba0268089ede8bc03655848904bdbbf31e8e590
SHA256

6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08
SHA512

41bf9614e8a9cbf8c52e255d82ca8af8be9fd076fece0d5c9ecfbb89ce1c278599b44d81b8dfc0190643e5890f31052aa6e6c67a4762dbf057d4ea586579f48b

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1412 mssecsvc.exe
1708 mssecsvc.exe
1288 tasksche.exe

pid	process
1412	mssecsvc.exe
1708	mssecsvc.exe
1288	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = c0e6f7b08148d701	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = c0e6f7b08148d701	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1688 wrote to memory of 1812	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1812	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1812	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1812	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1812	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1812	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1812	1688	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 1412	1812	rundll32.exe	mssecsvc.exe
PID 1812 wrote to memory of 1412	1812	rundll32.exe	mssecsvc.exe
PID 1812 wrote to memory of 1412	1812	rundll32.exe	mssecsvc.exe
PID 1812 wrote to memory of 1412	1812	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1812

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1412

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1288

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
ea850e72db29f2afeffd9a5d73fce46a

SHA1
23085cf73ae605e92dcf0b05c9eb753ccf2d2208

SHA256
9ef975ddd81f1fadfd54dd5fca21c36406fc64cc94180de386574e7bf5e2d104

SHA512
94dbeb10dfd9ef8680b307027ea49bff2d287c3ab3c82c602589c10db0a03c9de68cb126a1e3b874a94be98a7366541a5e0b5fe1cdcff53e2815578a85ba9ebd

Download Submit
C:\Windows\mssecsvc.exe
MD5
ea850e72db29f2afeffd9a5d73fce46a

SHA1
23085cf73ae605e92dcf0b05c9eb753ccf2d2208

SHA256
9ef975ddd81f1fadfd54dd5fca21c36406fc64cc94180de386574e7bf5e2d104

SHA512
94dbeb10dfd9ef8680b307027ea49bff2d287c3ab3c82c602589c10db0a03c9de68cb126a1e3b874a94be98a7366541a5e0b5fe1cdcff53e2815578a85ba9ebd

Download Submit
C:\Windows\mssecsvc.exe
MD5
ea850e72db29f2afeffd9a5d73fce46a

SHA1
23085cf73ae605e92dcf0b05c9eb753ccf2d2208

SHA256
9ef975ddd81f1fadfd54dd5fca21c36406fc64cc94180de386574e7bf5e2d104

SHA512
94dbeb10dfd9ef8680b307027ea49bff2d287c3ab3c82c602589c10db0a03c9de68cb126a1e3b874a94be98a7366541a5e0b5fe1cdcff53e2815578a85ba9ebd

Download Submit
C:\Windows\tasksche.exe
MD5
9c1aa2b49383fada47dfe88d6da14b44

SHA1
a0230d3601de00ddd893a399dc9c6d081aa2962a

SHA256
a557bf0c29df2264aa58fd54d4c43f423288969425cf3bd15f618f0691fb6cc2

SHA512
d6752103596a01c78450bba4625600e7ab03bb9b00c47a4b2ba47b8d0ac3af2aeeb03637789f2bd6403a7b87eb1e4fa39b6d53ce71767e9119562d0c8ea2eb8a

Download Submit
memory/1412-61-0x0000000000000000-mapping.dmp

Download
memory/1812-59-0x0000000000000000-mapping.dmp

Download
memory/1812-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads