wannacry | 4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95

General

Target

4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95.dll
Size

5.0MB
MD5

36631678ad952e3a0f7dd5bccfa3d6f9
SHA1

a08159346ed12fb8c5dee8b1ce4c1fc3fda01254
SHA256

4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95
SHA512

a64e5af897931edb5cd57b421b922a070e5d3d92482eae4751a06a4d2ffa845f9b6db40cd83e1ceff3b9825c8875a11c77f26490294dba2bde64a6c0636e1768

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

768 mssecsvr.exe
200 mssecsvr.exe

pid	process
768	mssecsvr.exe
200	mssecsvr.exe

Drops file in System32 directory 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvr.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvr.exe
File created C:\WINDOWS\mssecsvr.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 852 wrote to memory of 1532	852	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 1532	852	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 1532	852	rundll32.exe	rundll32.exe
PID 1532 wrote to memory of 768	1532	rundll32.exe	mssecsvr.exe
PID 1532 wrote to memory of 768	1532	rundll32.exe	mssecsvr.exe
PID 1532 wrote to memory of 768	1532	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\WINDOWS\mssecsvr.exe
MD5
ea3352c0ca904eda7ee140efe6f3b105

SHA1
e64e377ee7e154826cdd00fa8cbf1705b752b6ff

SHA256
44eed4ecc2c4a133eb595405934bbcb776431bcb560d4f1e9a52f22d0cc24502

SHA512
d9fb1322b6b818ae71e2adc8abc42fab1fe5948c98fdcc366228e14d0bc1ac45c269cb833031d0002b9228bd33befd29c23464ab6ac6d7ed7cfd3ec41deca1a3

Download Submit
C:\Windows\mssecsvr.exe
MD5
ea3352c0ca904eda7ee140efe6f3b105

SHA1
e64e377ee7e154826cdd00fa8cbf1705b752b6ff

SHA256
44eed4ecc2c4a133eb595405934bbcb776431bcb560d4f1e9a52f22d0cc24502

SHA512
d9fb1322b6b818ae71e2adc8abc42fab1fe5948c98fdcc366228e14d0bc1ac45c269cb833031d0002b9228bd33befd29c23464ab6ac6d7ed7cfd3ec41deca1a3

Download Submit
C:\Windows\mssecsvr.exe
MD5
ea3352c0ca904eda7ee140efe6f3b105

SHA1
e64e377ee7e154826cdd00fa8cbf1705b752b6ff

SHA256
44eed4ecc2c4a133eb595405934bbcb776431bcb560d4f1e9a52f22d0cc24502

SHA512
d9fb1322b6b818ae71e2adc8abc42fab1fe5948c98fdcc366228e14d0bc1ac45c269cb833031d0002b9228bd33befd29c23464ab6ac6d7ed7cfd3ec41deca1a3

Download Submit
memory/768-115-0x0000000000000000-mapping.dmp

Download
memory/1532-114-0x0000000000000000-mapping.dmp

Download