wannacry | b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908

General

Target

b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908.dll
Size

5.0MB
MD5

ee9ca4f8f8ed58d719013d25637dcab5
SHA1

42255a42373c52680110d6093a9130f2cfc0060e
SHA256

b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908
SHA512

9dbe2f7604d2fd15e9c39f9fd65b77b23402134614f7840e9d9e6b04d811585cc841c54d902f5b041f369ee91f2396aa6dcdbb0d0181f527baf99571a07a301a

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1284 mssecsvc.exe
1704 mssecsvc.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = e096c2e99c4ad701	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = e096c2e99c4ad701	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1284 mssecsvc.exe
1704 mssecsvc.exe

Suspicious behavior: MapViewOfSection 40 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1284	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe
1704	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 1284 mssecsvc.exe
Token: SeDebugPrivilege 1704 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	1284	mssecsvc.exe
Token: SeDebugPrivilege	1704	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 2000	1056	rundll32.exe	rundll32.exe
PID 2000 wrote to memory of 1284	2000	rundll32.exe	mssecsvc.exe
PID 2000 wrote to memory of 1284	2000	rundll32.exe	mssecsvc.exe
PID 2000 wrote to memory of 1284	2000	rundll32.exe	mssecsvc.exe
PID 2000 wrote to memory of 1284	2000	rundll32.exe	mssecsvc.exe
PID 1284 wrote to memory of 372	1284	mssecsvc.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	mssecsvc.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	mssecsvc.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	mssecsvc.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	mssecsvc.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	mssecsvc.exe	wininit.exe
PID 1284 wrote to memory of 372	1284	mssecsvc.exe	wininit.exe
PID 1284 wrote to memory of 384	1284	mssecsvc.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	mssecsvc.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	mssecsvc.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	mssecsvc.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	mssecsvc.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	mssecsvc.exe	csrss.exe
PID 1284 wrote to memory of 384	1284	mssecsvc.exe	csrss.exe
PID 1284 wrote to memory of 420	1284	mssecsvc.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	mssecsvc.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	mssecsvc.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	mssecsvc.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	mssecsvc.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	mssecsvc.exe	winlogon.exe
PID 1284 wrote to memory of 420	1284	mssecsvc.exe	winlogon.exe
PID 1284 wrote to memory of 464	1284	mssecsvc.exe	services.exe
PID 1284 wrote to memory of 464	1284	mssecsvc.exe	services.exe
PID 1284 wrote to memory of 464	1284	mssecsvc.exe	services.exe
PID 1284 wrote to memory of 464	1284	mssecsvc.exe	services.exe
PID 1284 wrote to memory of 464	1284	mssecsvc.exe	services.exe
PID 1284 wrote to memory of 464	1284	mssecsvc.exe	services.exe
PID 1284 wrote to memory of 464	1284	mssecsvc.exe	services.exe
PID 1284 wrote to memory of 480	1284	mssecsvc.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	mssecsvc.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	mssecsvc.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	mssecsvc.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	mssecsvc.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	mssecsvc.exe	lsass.exe
PID 1284 wrote to memory of 480	1284	mssecsvc.exe	lsass.exe
PID 1284 wrote to memory of 488	1284	mssecsvc.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	mssecsvc.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	mssecsvc.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	mssecsvc.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	mssecsvc.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	mssecsvc.exe	lsm.exe
PID 1284 wrote to memory of 488	1284	mssecsvc.exe	lsm.exe
PID 1284 wrote to memory of 588	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 588	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 588	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 588	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 588	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 588	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 588	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 664	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 664	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 664	1284	mssecsvc.exe	svchost.exe
PID 1284 wrote to memory of 664	1284	mssecsvc.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:860

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
3⤵
PID:1928

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\MSSECSVC.EXE
MD5
25fd0251076e9423c2c43bef610980a6

SHA1
f53d9047fd3d53579123beab0491c7c4b31638d7

SHA256
e9f2e27814b1c31dafeca36811c54e710daa2f768041d380d80af8f1d201a15b

SHA512
29bd21974e55ba6c85a142d750ecfef78a43b1980a0674b02c297ed4491620b69cdf6152cb4f6144ddfad361c6c642e39892e49b1fb8544e22053ccc5960d295

Download Submit
C:\Windows\mssecsvc.exe
MD5
25fd0251076e9423c2c43bef610980a6

SHA1
f53d9047fd3d53579123beab0491c7c4b31638d7

SHA256
e9f2e27814b1c31dafeca36811c54e710daa2f768041d380d80af8f1d201a15b

SHA512
29bd21974e55ba6c85a142d750ecfef78a43b1980a0674b02c297ed4491620b69cdf6152cb4f6144ddfad361c6c642e39892e49b1fb8544e22053ccc5960d295

Download Submit
C:\Windows\mssecsvc.exe
MD5
25fd0251076e9423c2c43bef610980a6

SHA1
f53d9047fd3d53579123beab0491c7c4b31638d7

SHA256
e9f2e27814b1c31dafeca36811c54e710daa2f768041d380d80af8f1d201a15b

SHA512
29bd21974e55ba6c85a142d750ecfef78a43b1980a0674b02c297ed4491620b69cdf6152cb4f6144ddfad361c6c642e39892e49b1fb8544e22053ccc5960d295

Download Submit
memory/1284-61-0x0000000000000000-mapping.dmp

Download
memory/1284-67-0x000000007EF70000-0x000000007EF7C000-memory.dmp

Filesize
48KB

Download
memory/2000-59-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads