wannacry | 9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488

General

Target

9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488.dll
Size

5.0MB
MD5

ce494e90f5ba942a3f1c0fe557e598bf
SHA1

f9b816aa2e019d192de555ed7fe0fd9aba1d4f68
SHA256

9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488
SHA512

6212b2f7e188048dd83d58db5b42b6cfad34b41f223c94d4996a6402d827bdcb2ff41b8d92992cc399b8582c3f9862e93f7a47409c7edacfb43c1556d57995e1

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

184 mssecsvc.exe
1532 mssecsvc.exe
2384 tasksche.exe

Drops file in System32 directory 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3232 wrote to memory of 3700	3232	rundll32.exe	rundll32.exe
PID 3232 wrote to memory of 3700	3232	rundll32.exe	rundll32.exe
PID 3232 wrote to memory of 3700	3232	rundll32.exe	rundll32.exe
PID 3700 wrote to memory of 184	3700	rundll32.exe	mssecsvc.exe
PID 3700 wrote to memory of 184	3700	rundll32.exe	mssecsvc.exe
PID 3700 wrote to memory of 184	3700	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2384

C:\WINDOWS\mssecsvc.exe
MD5
3d3b7e106612cc5086ef3e8aff697829

SHA1
b25e174d297361d98dc6d9248c1a858346135648

SHA256
d26d0b5d6dd45a1c25aa5b5202f139eb90ded45216aaba4a6321f9e3ec5fd94a

SHA512
2df70df4cb5b9d2343f78f2bedc7fcccfd0bd2c8c95e6d27688669d9889616a12e264f2d9d963fb85d3501d571094a8f41a9f95ea54ffe621a160af8fda26f41

Download Submit
C:\Windows\mssecsvc.exe
MD5
3d3b7e106612cc5086ef3e8aff697829

SHA1
b25e174d297361d98dc6d9248c1a858346135648

SHA256
d26d0b5d6dd45a1c25aa5b5202f139eb90ded45216aaba4a6321f9e3ec5fd94a

SHA512
2df70df4cb5b9d2343f78f2bedc7fcccfd0bd2c8c95e6d27688669d9889616a12e264f2d9d963fb85d3501d571094a8f41a9f95ea54ffe621a160af8fda26f41

Download Submit
C:\Windows\mssecsvc.exe
MD5
3d3b7e106612cc5086ef3e8aff697829

SHA1
b25e174d297361d98dc6d9248c1a858346135648

SHA256
d26d0b5d6dd45a1c25aa5b5202f139eb90ded45216aaba4a6321f9e3ec5fd94a

SHA512
2df70df4cb5b9d2343f78f2bedc7fcccfd0bd2c8c95e6d27688669d9889616a12e264f2d9d963fb85d3501d571094a8f41a9f95ea54ffe621a160af8fda26f41

Download Submit
C:\Windows\tasksche.exe
MD5
72a0273e5bdad2089ab90020265fcbce

SHA1
4a64856c9b86cc9f74fc6e74524d3cb09c3668a4

SHA256
45dc98a814d1bfd4ba7790b607da53678df7c99e3e1747f7ad4f56899e3805e4

SHA512
e02a324565dee584ba64e47936c5ab6a70d0c00e69e9767bf82d8c8195771a8270699f72ad0d64a490d22b0be32b54ce04c3df973baa8e8b65434781e848eb02

Download Submit
memory/184-115-0x0000000000000000-mapping.dmp

Download
memory/3700-114-0x0000000000000000-mapping.dmp

Download