wannacry | 9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10

General

Target

9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10.dll
Size

5.0MB
MD5

ff38612983c71c9a02e1308157a838cd
SHA1

ad9df85427e1b45fb376d25839107f42a7df738f
SHA256

9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10
SHA512

54afd9c7d142470ff0893d2cf1b72b4db5cec28c221a0e19001701a9e42a5c7887486995c1cc72fb72e149c95950368862c11abb247e9ec0e1b9dd2cd1d81696

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

812 mssecsvc.exe
2196 mssecsvc.exe
3600 tasksche.exe

Drops file in System32 directory 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1844 wrote to memory of 348	1844	rundll32.exe	rundll32.exe
PID 1844 wrote to memory of 348	1844	rundll32.exe	rundll32.exe
PID 1844 wrote to memory of 348	1844	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 812	348	rundll32.exe	mssecsvc.exe
PID 348 wrote to memory of 812	348	rundll32.exe	mssecsvc.exe
PID 348 wrote to memory of 812	348	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3600

C:\WINDOWS\mssecsvc.exe
MD5
8291bc470e0700a4eb0eb4c4cce019ed

SHA1
16f8eb03aaac75e998eb58e2db44d44c3eadb871

SHA256
636af8714b39aef1072bac5f69c7c409960a1f4ee7ea5613b451ef14da2d9c28

SHA512
ed364184bc8a5408b1400920624224bf5bb5803419d5b52836ade6c05a286d0703432fffe83b85ac9c2805e0c922f4630dcff616c718dd1c2e8bc5ba6bcdbc4d

Download Submit
C:\Windows\mssecsvc.exe
MD5
8291bc470e0700a4eb0eb4c4cce019ed

SHA1
16f8eb03aaac75e998eb58e2db44d44c3eadb871

SHA256
636af8714b39aef1072bac5f69c7c409960a1f4ee7ea5613b451ef14da2d9c28

SHA512
ed364184bc8a5408b1400920624224bf5bb5803419d5b52836ade6c05a286d0703432fffe83b85ac9c2805e0c922f4630dcff616c718dd1c2e8bc5ba6bcdbc4d

Download Submit
C:\Windows\mssecsvc.exe
MD5
8291bc470e0700a4eb0eb4c4cce019ed

SHA1
16f8eb03aaac75e998eb58e2db44d44c3eadb871

SHA256
636af8714b39aef1072bac5f69c7c409960a1f4ee7ea5613b451ef14da2d9c28

SHA512
ed364184bc8a5408b1400920624224bf5bb5803419d5b52836ade6c05a286d0703432fffe83b85ac9c2805e0c922f4630dcff616c718dd1c2e8bc5ba6bcdbc4d

Download Submit
C:\Windows\tasksche.exe
MD5
3ba6ad701041de8c58661207f6872d85

SHA1
e500f67e1e3617406152ce49252d59a3186833ec

SHA256
099f733adc72e915baa9139ffae74ed89c486c02cdc56251e7bab3fcd52f53ab

SHA512
b47882cfe5e9103510ef532b020d909c038cb1fc3eefa306bb910a5784f46bc123262b0338806c831a16f92fe26eacfedadecbad16ca21fd5e82fbe10c9bb305

Download Submit
memory/348-114-0x0000000000000000-mapping.dmp

Download
memory/812-115-0x0000000000000000-mapping.dmp

Download