wannacry | e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c

General

Target

e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c.dll
Size

5.0MB
MD5

6a75c79078d884b91588891f2e6e8447
SHA1

c3a43a53c49c2a99ccedf369756820a745062d2d
SHA256

e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c
SHA512

8a46873cd8c1a0c5fa6bdd0147e2ef01e0fd8926a23cc86ce6fb7999175c5e88016502eb5f7262a491a2d2d8be3a8d2196feb06cc20f191bd2b1e8194e81b93a

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2488 mssecsvc.exe
3540 mssecsvc.exe
2984 tasksche.exe

Drops file in System32 directory 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2016 wrote to memory of 964	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 964	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 964	2016	rundll32.exe	rundll32.exe
PID 964 wrote to memory of 2488	964	rundll32.exe	mssecsvc.exe
PID 964 wrote to memory of 2488	964	rundll32.exe	mssecsvc.exe
PID 964 wrote to memory of 2488	964	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2984

C:\WINDOWS\mssecsvc.exe
MD5
b3fb79066e2c78886e881eab72508ea2

SHA1
6255f9688abc86f1f9791ecf1e5364444947316d

SHA256
d02107f99381bc9f1a339ed2a5febda059621d404ff97705466969a29da04a75

SHA512
ba1f57d9a07942db332466c3b8693c8c7eef5e0876b1dd2c89b53acf158475f12c478e3c11067f7d9b90f8d76bd315bfe33b1efe41b37b573340937fc1a0c468

Download Submit
C:\Windows\mssecsvc.exe
MD5
b3fb79066e2c78886e881eab72508ea2

SHA1
6255f9688abc86f1f9791ecf1e5364444947316d

SHA256
d02107f99381bc9f1a339ed2a5febda059621d404ff97705466969a29da04a75

SHA512
ba1f57d9a07942db332466c3b8693c8c7eef5e0876b1dd2c89b53acf158475f12c478e3c11067f7d9b90f8d76bd315bfe33b1efe41b37b573340937fc1a0c468

Download Submit
C:\Windows\mssecsvc.exe
MD5
b3fb79066e2c78886e881eab72508ea2

SHA1
6255f9688abc86f1f9791ecf1e5364444947316d

SHA256
d02107f99381bc9f1a339ed2a5febda059621d404ff97705466969a29da04a75

SHA512
ba1f57d9a07942db332466c3b8693c8c7eef5e0876b1dd2c89b53acf158475f12c478e3c11067f7d9b90f8d76bd315bfe33b1efe41b37b573340937fc1a0c468

Download Submit
C:\Windows\tasksche.exe
MD5
1e7f58490de1b17256e518c1efdd3113

SHA1
24a6f9e5768bbe582ca6b52a5723c3bb7d840be9

SHA256
c68b846ca3052caa2a6a714873cbf38bcaecf057628d0207df064476d53e5e33

SHA512
336ff3f9ab827d278f4ffdcf8c985c0ff16f73e91f863605b058131fa3400ed65ea126f80776ce7a2d26f4483d5a5b53e315c68bfb862a5d0f501d04b330fd97

Download Submit
memory/964-114-0x0000000000000000-mapping.dmp

Download
memory/2488-115-0x0000000000000000-mapping.dmp

Download