wannacry | 0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430

General

Target

0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430.dll
Size

5.0MB
MD5

e9c7680e62b429a453a356c6429f9c03
SHA1

913133219bbba14cc87de4b658fe68e35a3dd334
SHA256

0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430
SHA512

9d3dc06ab6ab25ce0c52231387041fc54654965d16daf5fc84cbec565b55e234a0a657871107d8225e52a9ed44bd8b88f7ab7564f1d1617dd9c69cc423483341

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1144 mssecsvc.exe
1700 mssecsvc.exe
1432 tasksche.exe

pid	process
1144	mssecsvc.exe
1700	mssecsvc.exe
1432	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 2059cb8e7f49d701	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 2059cb8e7f49d701	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1076 wrote to memory of 2016	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 2016	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 2016	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 2016	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 2016	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 2016	1076	rundll32.exe	rundll32.exe
PID 1076 wrote to memory of 2016	1076	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 1144	2016	rundll32.exe	mssecsvc.exe
PID 2016 wrote to memory of 1144	2016	rundll32.exe	mssecsvc.exe
PID 2016 wrote to memory of 1144	2016	rundll32.exe	mssecsvc.exe
PID 2016 wrote to memory of 1144	2016	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1144

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1432

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
1dbe1609bf23cfcf9f66c175396b7e21

SHA1
6ef0c7055ee2e098d123d632ee0790b8c804411c

SHA256
26e1b1b49f9ea6c2f6243888788bbd8b948c92b21276133e14bef362cdb02368

SHA512
07e6702f849ccdb4248c1b4bfcfed6cdc08f6afb24818f90746139096ac718f4ce3f57157d97cde0da33ab7eb63af44fb3567e8a180805b49e172449fe5b0dac

Download Submit
C:\Windows\mssecsvc.exe
MD5
1dbe1609bf23cfcf9f66c175396b7e21

SHA1
6ef0c7055ee2e098d123d632ee0790b8c804411c

SHA256
26e1b1b49f9ea6c2f6243888788bbd8b948c92b21276133e14bef362cdb02368

SHA512
07e6702f849ccdb4248c1b4bfcfed6cdc08f6afb24818f90746139096ac718f4ce3f57157d97cde0da33ab7eb63af44fb3567e8a180805b49e172449fe5b0dac

Download Submit
C:\Windows\mssecsvc.exe
MD5
1dbe1609bf23cfcf9f66c175396b7e21

SHA1
6ef0c7055ee2e098d123d632ee0790b8c804411c

SHA256
26e1b1b49f9ea6c2f6243888788bbd8b948c92b21276133e14bef362cdb02368

SHA512
07e6702f849ccdb4248c1b4bfcfed6cdc08f6afb24818f90746139096ac718f4ce3f57157d97cde0da33ab7eb63af44fb3567e8a180805b49e172449fe5b0dac

Download Submit
C:\Windows\tasksche.exe
MD5
d1f42f6f1b7380c6128ddf67aee4d195

SHA1
5d53c8395f3abb2676a2f24258b0a2352c7dcc69

SHA256
69ba8661b9f79de83a7b47a261660e6d692d75283a7fcc68825bddf9494822c9

SHA512
bc0087f30114fdc46d2345fd1e416d767baad937bdb2424878d7d7e04cda11e2c90e546018e0799ca062f66fe51bcc48b9cac60eb3b7a8da6517554fcd4f3fd7

Download Submit
memory/1144-62-0x0000000000000000-mapping.dmp

Download
memory/2016-60-0x0000000000000000-mapping.dmp

Download
memory/2016-61-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads