wannacry | 8810123ec8fabd8acb91a396572db3229971f85e788ef958022217f8a858ad38

General

Target

8810123ec8fabd8acb91a396572db3229971f85e788ef958022217f8a858ad38.dll
Size

5.0MB
MD5

8d7129d1ad154ae0f261b44b37b6ca01
SHA1

6e6a12140fb66cd4dc21fe2fbcef6bb916796d97
SHA256

8810123ec8fabd8acb91a396572db3229971f85e788ef958022217f8a858ad38
SHA512

c7fe58ea40f9934762665c3221ce186964c4be877d05ade49ca9c7a8380c09487de859f71976f8b826f9f68a635bec1a9e8dc8f8069fc980d0df091e4f2d9145

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1172 mssecsvc.exe
1760 mssecsvc.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 30c65bb4c949d701	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30c65bb4c949d701	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1172 mssecsvc.exe
1760 mssecsvc.exe

Suspicious behavior: MapViewOfSection 40 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1172	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe
1760	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 1172 mssecsvc.exe
Token: SeDebugPrivilege 1760 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	1172	mssecsvc.exe
Token: SeDebugPrivilege	1760	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1996 wrote to memory of 1972	1996	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1972	1996	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1972	1996	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1972	1996	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1972	1996	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1972	1996	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 1972	1996	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 1172	1972	rundll32.exe	mssecsvc.exe
PID 1972 wrote to memory of 1172	1972	rundll32.exe	mssecsvc.exe
PID 1972 wrote to memory of 1172	1972	rundll32.exe	mssecsvc.exe
PID 1972 wrote to memory of 1172	1972	rundll32.exe	mssecsvc.exe
PID 1172 wrote to memory of 368	1172	mssecsvc.exe	csrss.exe
PID 1172 wrote to memory of 368	1172	mssecsvc.exe	csrss.exe
PID 1172 wrote to memory of 368	1172	mssecsvc.exe	csrss.exe
PID 1172 wrote to memory of 368	1172	mssecsvc.exe	csrss.exe
PID 1172 wrote to memory of 368	1172	mssecsvc.exe	csrss.exe
PID 1172 wrote to memory of 368	1172	mssecsvc.exe	csrss.exe
PID 1172 wrote to memory of 368	1172	mssecsvc.exe	csrss.exe
PID 1172 wrote to memory of 376	1172	mssecsvc.exe	wininit.exe
PID 1172 wrote to memory of 376	1172	mssecsvc.exe	wininit.exe
PID 1172 wrote to memory of 376	1172	mssecsvc.exe	wininit.exe
PID 1172 wrote to memory of 376	1172	mssecsvc.exe	wininit.exe
PID 1172 wrote to memory of 376	1172	mssecsvc.exe	wininit.exe
PID 1172 wrote to memory of 376	1172	mssecsvc.exe	wininit.exe
PID 1172 wrote to memory of 376	1172	mssecsvc.exe	wininit.exe
PID 1172 wrote to memory of 408	1172	mssecsvc.exe	winlogon.exe
PID 1172 wrote to memory of 408	1172	mssecsvc.exe	winlogon.exe
PID 1172 wrote to memory of 408	1172	mssecsvc.exe	winlogon.exe
PID 1172 wrote to memory of 408	1172	mssecsvc.exe	winlogon.exe
PID 1172 wrote to memory of 408	1172	mssecsvc.exe	winlogon.exe
PID 1172 wrote to memory of 408	1172	mssecsvc.exe	winlogon.exe
PID 1172 wrote to memory of 408	1172	mssecsvc.exe	winlogon.exe
PID 1172 wrote to memory of 460	1172	mssecsvc.exe	services.exe
PID 1172 wrote to memory of 460	1172	mssecsvc.exe	services.exe
PID 1172 wrote to memory of 460	1172	mssecsvc.exe	services.exe
PID 1172 wrote to memory of 460	1172	mssecsvc.exe	services.exe
PID 1172 wrote to memory of 460	1172	mssecsvc.exe	services.exe
PID 1172 wrote to memory of 460	1172	mssecsvc.exe	services.exe
PID 1172 wrote to memory of 460	1172	mssecsvc.exe	services.exe
PID 1172 wrote to memory of 476	1172	mssecsvc.exe	lsass.exe
PID 1172 wrote to memory of 476	1172	mssecsvc.exe	lsass.exe
PID 1172 wrote to memory of 476	1172	mssecsvc.exe	lsass.exe
PID 1172 wrote to memory of 476	1172	mssecsvc.exe	lsass.exe
PID 1172 wrote to memory of 476	1172	mssecsvc.exe	lsass.exe
PID 1172 wrote to memory of 476	1172	mssecsvc.exe	lsass.exe
PID 1172 wrote to memory of 476	1172	mssecsvc.exe	lsass.exe
PID 1172 wrote to memory of 484	1172	mssecsvc.exe	lsm.exe
PID 1172 wrote to memory of 484	1172	mssecsvc.exe	lsm.exe
PID 1172 wrote to memory of 484	1172	mssecsvc.exe	lsm.exe
PID 1172 wrote to memory of 484	1172	mssecsvc.exe	lsm.exe
PID 1172 wrote to memory of 484	1172	mssecsvc.exe	lsm.exe
PID 1172 wrote to memory of 484	1172	mssecsvc.exe	lsm.exe
PID 1172 wrote to memory of 484	1172	mssecsvc.exe	lsm.exe
PID 1172 wrote to memory of 596	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 596	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 596	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 596	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 596	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 596	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 596	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 676	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 676	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 676	1172	mssecsvc.exe	svchost.exe
PID 1172 wrote to memory of 676	1172	mssecsvc.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:408

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:376

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1852

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1092

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:900

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
4⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:676

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:484

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8810123ec8fabd8acb91a396572db3229971f85e788ef958022217f8a858ad38.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8810123ec8fabd8acb91a396572db3229971f85e788ef958022217f8a858ad38.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1972

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\MSSECSVC.EXE
MD5
e0e99fab31fb2dfc5e1a9fa8851f9c50

SHA1
0d3ecae7e60ebe4d943d3c4e13c884accbcabe11

SHA256
ebba7390b4519ed2e2d429542611bf91606c539190b78d95d66de44016681689

SHA512
d1bafed985ebe0de2b8a406f27f9a6929ae74ef5341dfa6f6dbb14395c1065c47055a62bffac86d9708a11188e9ed9f1fd3f1c2de162a1ac49e1288e20f505bc

Download Submit
C:\Windows\mssecsvc.exe
MD5
e0e99fab31fb2dfc5e1a9fa8851f9c50

SHA1
0d3ecae7e60ebe4d943d3c4e13c884accbcabe11

SHA256
ebba7390b4519ed2e2d429542611bf91606c539190b78d95d66de44016681689

SHA512
d1bafed985ebe0de2b8a406f27f9a6929ae74ef5341dfa6f6dbb14395c1065c47055a62bffac86d9708a11188e9ed9f1fd3f1c2de162a1ac49e1288e20f505bc

Download Submit
C:\Windows\mssecsvc.exe
MD5
e0e99fab31fb2dfc5e1a9fa8851f9c50

SHA1
0d3ecae7e60ebe4d943d3c4e13c884accbcabe11

SHA256
ebba7390b4519ed2e2d429542611bf91606c539190b78d95d66de44016681689

SHA512
d1bafed985ebe0de2b8a406f27f9a6929ae74ef5341dfa6f6dbb14395c1065c47055a62bffac86d9708a11188e9ed9f1fd3f1c2de162a1ac49e1288e20f505bc

Download Submit
memory/1172-61-0x0000000000000000-mapping.dmp

Download
memory/1172-67-0x000000007EF70000-0x000000007EF7C000-memory.dmp

Filesize
48KB

Download
memory/1972-59-0x0000000000000000-mapping.dmp

Download
memory/1972-60-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads