wannacry | 7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488

General

Target

7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488.dll
Size

5.0MB
MD5

17ce16bf307c1059fe2fb55c0c48a483
SHA1

5920ae8ad63307472a51d35d842fcf247c381b7c
SHA256

7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488
SHA512

cc8b90d12b0da5232b6122158c04f4c8d702fc833c7b13673836f111dff29bed4fadf2e2ad73524246e214eebcb06969d177c734b54b90b145f6dba8f2bff48d

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1596 mssecsvc.exe
3024 mssecsvc.exe
3280 tasksche.exe

Drops file in System32 directory 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3876 wrote to memory of 508	3876	rundll32.exe	rundll32.exe
PID 3876 wrote to memory of 508	3876	rundll32.exe	rundll32.exe
PID 3876 wrote to memory of 508	3876	rundll32.exe	rundll32.exe
PID 508 wrote to memory of 1596	508	rundll32.exe	mssecsvc.exe
PID 508 wrote to memory of 1596	508	rundll32.exe	mssecsvc.exe
PID 508 wrote to memory of 1596	508	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3280

C:\WINDOWS\mssecsvc.exe
MD5
670c09c18ad4df5aa8b930a0c1e08139

SHA1
0e174b5eb3afbf6dcc9697b806594e4ee0233509

SHA256
f3ca25648788f79556688c34040803cf9529768191337f1826c6db1eb8d74175

SHA512
a89abc638b507efd2d382d828c60f15a3e9b7837a75e91512a6232ec7db439d9bfda037f040eceba215c965e75a72e4a7a1318e70a86f69d5bdaebab31edb1a9

Download Submit
C:\Windows\mssecsvc.exe
MD5
670c09c18ad4df5aa8b930a0c1e08139

SHA1
0e174b5eb3afbf6dcc9697b806594e4ee0233509

SHA256
f3ca25648788f79556688c34040803cf9529768191337f1826c6db1eb8d74175

SHA512
a89abc638b507efd2d382d828c60f15a3e9b7837a75e91512a6232ec7db439d9bfda037f040eceba215c965e75a72e4a7a1318e70a86f69d5bdaebab31edb1a9

Download Submit
C:\Windows\mssecsvc.exe
MD5
670c09c18ad4df5aa8b930a0c1e08139

SHA1
0e174b5eb3afbf6dcc9697b806594e4ee0233509

SHA256
f3ca25648788f79556688c34040803cf9529768191337f1826c6db1eb8d74175

SHA512
a89abc638b507efd2d382d828c60f15a3e9b7837a75e91512a6232ec7db439d9bfda037f040eceba215c965e75a72e4a7a1318e70a86f69d5bdaebab31edb1a9

Download Submit
C:\Windows\tasksche.exe
MD5
1e16fd7d2fde97db36e4ea1eb44b3238

SHA1
22be01f932fa82f08c0d1426e44deaf8ef83d95c

SHA256
31d5da4377e51cfade377deb989652edb5c0262029d8df7d0ea64a7ce25cfb21

SHA512
92617e6dff208d6c9ca4e778a2ec12d33d79f4bb51d0c28275f54a2be1117e8d0f27cc6526858e63c3c3551467fc5403debeb041ba696478be4753ec697a3131

Download Submit
memory/508-114-0x0000000000000000-mapping.dmp

Download
memory/1596-115-0x0000000000000000-mapping.dmp

Download