wannacry | da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c

General

Target

da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll
Size

5.0MB
MD5

b7aaeb286309a92f575247014054dc9a
SHA1

5420861f432a03c2371cd2d38dfa7b311dc4b4b8
SHA256

da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c
SHA512

e4cfe25feb734f93b1c861ad8ae384f04d19773e4c7a081b82150b4d532ebc52c68516c6f8d6281ac32ae61b0f1689b204c541db965158fc7c1a0adf27d5cd0c

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1028 mssecsvc.exe
1788 mssecsvc.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1028 mssecsvc.exe
1788 mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious behavior: MapViewOfSection 39 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1028	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe
1788	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 1028 mssecsvc.exe
Token: SeDebugPrivilege 1788 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	1028	mssecsvc.exe
Token: SeDebugPrivilege	1788	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1420 wrote to memory of 1188	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1188	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1188	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1188	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1188	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1188	1420	rundll32.exe	rundll32.exe
PID 1420 wrote to memory of 1188	1420	rundll32.exe	rundll32.exe
PID 1188 wrote to memory of 1028	1188	rundll32.exe	mssecsvc.exe
PID 1188 wrote to memory of 1028	1188	rundll32.exe	mssecsvc.exe
PID 1188 wrote to memory of 1028	1188	rundll32.exe	mssecsvc.exe
PID 1188 wrote to memory of 1028	1188	rundll32.exe	mssecsvc.exe
PID 1028 wrote to memory of 372	1028	mssecsvc.exe	wininit.exe
PID 1028 wrote to memory of 372	1028	mssecsvc.exe	wininit.exe
PID 1028 wrote to memory of 372	1028	mssecsvc.exe	wininit.exe
PID 1028 wrote to memory of 372	1028	mssecsvc.exe	wininit.exe
PID 1028 wrote to memory of 372	1028	mssecsvc.exe	wininit.exe
PID 1028 wrote to memory of 372	1028	mssecsvc.exe	wininit.exe
PID 1028 wrote to memory of 372	1028	mssecsvc.exe	wininit.exe
PID 1028 wrote to memory of 384	1028	mssecsvc.exe	csrss.exe
PID 1028 wrote to memory of 384	1028	mssecsvc.exe	csrss.exe
PID 1028 wrote to memory of 384	1028	mssecsvc.exe	csrss.exe
PID 1028 wrote to memory of 384	1028	mssecsvc.exe	csrss.exe
PID 1028 wrote to memory of 384	1028	mssecsvc.exe	csrss.exe
PID 1028 wrote to memory of 384	1028	mssecsvc.exe	csrss.exe
PID 1028 wrote to memory of 384	1028	mssecsvc.exe	csrss.exe
PID 1028 wrote to memory of 420	1028	mssecsvc.exe	winlogon.exe
PID 1028 wrote to memory of 420	1028	mssecsvc.exe	winlogon.exe
PID 1028 wrote to memory of 420	1028	mssecsvc.exe	winlogon.exe
PID 1028 wrote to memory of 420	1028	mssecsvc.exe	winlogon.exe
PID 1028 wrote to memory of 420	1028	mssecsvc.exe	winlogon.exe
PID 1028 wrote to memory of 420	1028	mssecsvc.exe	winlogon.exe
PID 1028 wrote to memory of 420	1028	mssecsvc.exe	winlogon.exe
PID 1028 wrote to memory of 464	1028	mssecsvc.exe	services.exe
PID 1028 wrote to memory of 464	1028	mssecsvc.exe	services.exe
PID 1028 wrote to memory of 464	1028	mssecsvc.exe	services.exe
PID 1028 wrote to memory of 464	1028	mssecsvc.exe	services.exe
PID 1028 wrote to memory of 464	1028	mssecsvc.exe	services.exe
PID 1028 wrote to memory of 464	1028	mssecsvc.exe	services.exe
PID 1028 wrote to memory of 464	1028	mssecsvc.exe	services.exe
PID 1028 wrote to memory of 480	1028	mssecsvc.exe	lsass.exe
PID 1028 wrote to memory of 480	1028	mssecsvc.exe	lsass.exe
PID 1028 wrote to memory of 480	1028	mssecsvc.exe	lsass.exe
PID 1028 wrote to memory of 480	1028	mssecsvc.exe	lsass.exe
PID 1028 wrote to memory of 480	1028	mssecsvc.exe	lsass.exe
PID 1028 wrote to memory of 480	1028	mssecsvc.exe	lsass.exe
PID 1028 wrote to memory of 480	1028	mssecsvc.exe	lsass.exe
PID 1028 wrote to memory of 488	1028	mssecsvc.exe	lsm.exe
PID 1028 wrote to memory of 488	1028	mssecsvc.exe	lsm.exe
PID 1028 wrote to memory of 488	1028	mssecsvc.exe	lsm.exe
PID 1028 wrote to memory of 488	1028	mssecsvc.exe	lsm.exe
PID 1028 wrote to memory of 488	1028	mssecsvc.exe	lsm.exe
PID 1028 wrote to memory of 488	1028	mssecsvc.exe	lsm.exe
PID 1028 wrote to memory of 488	1028	mssecsvc.exe	lsm.exe
PID 1028 wrote to memory of 580	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 580	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 580	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 580	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 580	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 580	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 580	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 660	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 660	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 660	1028	mssecsvc.exe	svchost.exe
PID 1028 wrote to memory of 660	1028	mssecsvc.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:792

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:876

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:112

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:284

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:580

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1188

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\MSSECSVC.EXE
MD5
6081e20a243389a518cb8055bc93a948

SHA1
7695d90ba77b4b7c493093805ecae511da226b07

SHA256
3fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740

SHA512
a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f

Download Submit
C:\Windows\mssecsvc.exe
MD5
6081e20a243389a518cb8055bc93a948

SHA1
7695d90ba77b4b7c493093805ecae511da226b07

SHA256
3fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740

SHA512
a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f

Download Submit
C:\Windows\mssecsvc.exe
MD5
6081e20a243389a518cb8055bc93a948

SHA1
7695d90ba77b4b7c493093805ecae511da226b07

SHA256
3fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740

SHA512
a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f

Download Submit
memory/1028-61-0x0000000000000000-mapping.dmp

Download
memory/1028-67-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/1188-59-0x0000000000000000-mapping.dmp

Download
memory/1188-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads