wannacry | 042889c7d19b1c7aec30d171c1e147953907146ff5eb81e3bfc29ca83e962658

General

Target

042889c7d19b1c7aec30d171c1e147953907146ff5eb81e3bfc29ca83e962658.sample.dll
Size

5.0MB
MD5

3b9fa46d89fd099e914d6275cac9171f
SHA1

6236eff5dc07a222bbf60f4e62225f2052b1f55a
SHA256

042889c7d19b1c7aec30d171c1e147953907146ff5eb81e3bfc29ca83e962658
SHA512

d6548746bd45b2e0151c7f7fd2ea0d1ce983f5e659366777def2d8f10f10322733af168d086a5b3d126e7e108263a5b954652f526d93982e4f9719b3411abd27

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2736 mssecsvc.exe
2004 mssecsvc.exe
3144 tasksche.exe

Drops file in System32 directory 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4044 wrote to memory of 60	4044	rundll32.exe	rundll32.exe
PID 4044 wrote to memory of 60	4044	rundll32.exe	rundll32.exe
PID 4044 wrote to memory of 60	4044	rundll32.exe	rundll32.exe
PID 60 wrote to memory of 2736	60	rundll32.exe	mssecsvc.exe
PID 60 wrote to memory of 2736	60	rundll32.exe	mssecsvc.exe
PID 60 wrote to memory of 2736	60	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\042889c7d19b1c7aec30d171c1e147953907146ff5eb81e3bfc29ca83e962658.sample.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3144

C:\WINDOWS\mssecsvc.exe
MD5
f08d0f0cda8772605629e99ba5b8a081

SHA1
99374a3fcbe7a0d383c8fc135fd6eb8107618971

SHA256
03000ec3fa1e5f5340b9336c7ec2c38f1048f3d2aa1531fb0985020231de3e0e

SHA512
86f0132a0c0248a705d2d25b871526ba98b1174374c728ab11631df490c885bbae0c95eee5ba2fee2bd195ed57c593a4ebaf9b2dba8f1d5920079a6893186973

Download Submit
C:\Windows\mssecsvc.exe
MD5
f08d0f0cda8772605629e99ba5b8a081

SHA1
99374a3fcbe7a0d383c8fc135fd6eb8107618971

SHA256
03000ec3fa1e5f5340b9336c7ec2c38f1048f3d2aa1531fb0985020231de3e0e

SHA512
86f0132a0c0248a705d2d25b871526ba98b1174374c728ab11631df490c885bbae0c95eee5ba2fee2bd195ed57c593a4ebaf9b2dba8f1d5920079a6893186973

Download Submit
C:\Windows\mssecsvc.exe
MD5
f08d0f0cda8772605629e99ba5b8a081

SHA1
99374a3fcbe7a0d383c8fc135fd6eb8107618971

SHA256
03000ec3fa1e5f5340b9336c7ec2c38f1048f3d2aa1531fb0985020231de3e0e

SHA512
86f0132a0c0248a705d2d25b871526ba98b1174374c728ab11631df490c885bbae0c95eee5ba2fee2bd195ed57c593a4ebaf9b2dba8f1d5920079a6893186973

Download Submit
C:\Windows\tasksche.exe
MD5
0910f614c33699c34cc61ce10fd35675

SHA1
113833d7e9ef1e234bdd8750cb2b7a39c93911ac

SHA256
68ae02e39a736e0b2464e51b47b5c81fa0d127a15c645ee2297b6aa1e82c2dd5

SHA512
05ff393d6962aa998624f7d97fc4b0f2a87686124a261a54239b426231af1d4210f2e3472359fb536f88d5a6e82abd6a188be957a0240694d62a03e398bdd0ca

Download Submit
memory/60-114-0x0000000000000000-mapping.dmp

Download
memory/2736-115-0x0000000000000000-mapping.dmp

Download