wannacry | 03e0bb1da81f91a28a822dee6e113ca82db76072a5159c27e76632b770191065

General

Target

709460272380d30e81c5d1797b2ee1ab7fa62537.dll
Size

5.0MB
MD5

a35833d30e65f9a68a74f86f0b432b0e
SHA1

709460272380d30e81c5d1797b2ee1ab7fa62537
SHA256

03e0bb1da81f91a28a822dee6e113ca82db76072a5159c27e76632b770191065
SHA512

cebc1fc2a8f617ad5847eb70e35f36d8fac4892546b25f29eed6a0ed2489e230c073903de6e2a121b5553a95e386e7cfef765bb1e964e3134fcf89b172624160

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

1628 mssecsvr.exe
420 mssecsvr.exe
1432 tasksche.exe

pid	process
1628	mssecsvr.exe
420	mssecsvr.exe
1432	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1724 1432 WerFault.exe tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

pid	pid_target	process	target process
1724	1432	WerFault.exe	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0091000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{31201F96-3F15-42FD-8F85-CD17C503CAB3}\WpadDecisionTime = 903ca6dee827d801	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{31201F96-3F15-42FD-8F85-CD17C503CAB3}\3e-03-b2-58-05-47	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-03-b2-58-05-47\WpadDecisionTime = 903ca6dee827d801	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{31201F96-3F15-42FD-8F85-CD17C503CAB3}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{31201F96-3F15-42FD-8F85-CD17C503CAB3}\WpadNetworkName = "Network 3"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-03-b2-58-05-47	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-03-b2-58-05-47\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-03-b2-58-05-47\WpadDecision = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{31201F96-3F15-42FD-8F85-CD17C503CAB3}\WpadDecision = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{31201F96-3F15-42FD-8F85-CD17C503CAB3}	mssecsvr.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1724 WerFault.exe
1724 WerFault.exe
1724 WerFault.exe
1724 WerFault.exe
1724 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1724 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1724 WerFault.exe

pid	process
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe
1724	WerFault.exe

pid	process
1724	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1724	WerFault.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exetasksche.exe

description	pid	process	target process
PID 952 wrote to memory of 948	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 948	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 948	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 948	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 948	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 948	952	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 948	952	rundll32.exe	rundll32.exe
PID 948 wrote to memory of 1628	948	rundll32.exe	mssecsvr.exe
PID 948 wrote to memory of 1628	948	rundll32.exe	mssecsvr.exe
PID 948 wrote to memory of 1628	948	rundll32.exe	mssecsvr.exe
PID 948 wrote to memory of 1628	948	rundll32.exe	mssecsvr.exe
PID 1628 wrote to memory of 1432	1628	mssecsvr.exe	tasksche.exe
PID 1628 wrote to memory of 1432	1628	mssecsvr.exe	tasksche.exe
PID 1628 wrote to memory of 1432	1628	mssecsvr.exe	tasksche.exe
PID 1628 wrote to memory of 1432	1628	mssecsvr.exe	tasksche.exe
PID 1628 wrote to memory of 1432	1628	mssecsvr.exe	tasksche.exe
PID 1628 wrote to memory of 1432	1628	mssecsvr.exe	tasksche.exe
PID 1628 wrote to memory of 1432	1628	mssecsvr.exe	tasksche.exe
PID 1432 wrote to memory of 1724	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1724	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1724	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1724	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1724	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1724	1432	tasksche.exe	WerFault.exe
PID 1432 wrote to memory of 1724	1432	tasksche.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\709460272380d30e81c5d1797b2ee1ab7fa62537.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\709460272380d30e81c5d1797b2ee1ab7fa62537.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 224
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe

MD5
fa64901f81311acd8204bfe3c2c2e4b8

SHA1
14042481238f18c63fc6709d84b261ddcef5fb1f

SHA256
70ce95163cb4f26e760d93c38278fe91572f8675073da509e7f84878bb2ce9c3

SHA512
21ab80f72986ad83a21718cd37a79ef2f401b6eb93037ff05f2d7164c243051005639f6f364fd410da2d06bf1bb12ce0dc55ee40378c62d41bcbd05209377e7e

Download Submit
C:\WINDOWS\tasksche.exe

MD5
f3887f6b0a7b004fd60b4ef7e336e184

SHA1
e7ca69898e36996c9bec4fdb174f3ac9de710169

SHA256
a990c4a9a8b9dc0aff1a390410b9613b462e6feb4fba20573a3db0be96b028ff

SHA512
905fa7f26ea65f408bae8805082ed8b45215f1a328faaa935b8d3d8759457ace0071dd862a38814a1a0dffe5d0b37d7c89d540c1d778228c64029ddb3c039c6d

Download Submit
C:\Windows\mssecsvr.exe

MD5
fa64901f81311acd8204bfe3c2c2e4b8

SHA1
14042481238f18c63fc6709d84b261ddcef5fb1f

SHA256
70ce95163cb4f26e760d93c38278fe91572f8675073da509e7f84878bb2ce9c3

SHA512
21ab80f72986ad83a21718cd37a79ef2f401b6eb93037ff05f2d7164c243051005639f6f364fd410da2d06bf1bb12ce0dc55ee40378c62d41bcbd05209377e7e

Download Submit
C:\Windows\mssecsvr.exe

MD5
fa64901f81311acd8204bfe3c2c2e4b8

SHA1
14042481238f18c63fc6709d84b261ddcef5fb1f

SHA256
70ce95163cb4f26e760d93c38278fe91572f8675073da509e7f84878bb2ce9c3

SHA512
21ab80f72986ad83a21718cd37a79ef2f401b6eb93037ff05f2d7164c243051005639f6f364fd410da2d06bf1bb12ce0dc55ee40378c62d41bcbd05209377e7e

Download Submit
C:\Windows\tasksche.exe

MD5
f3887f6b0a7b004fd60b4ef7e336e184

SHA1
e7ca69898e36996c9bec4fdb174f3ac9de710169

SHA256
a990c4a9a8b9dc0aff1a390410b9613b462e6feb4fba20573a3db0be96b028ff

SHA512
905fa7f26ea65f408bae8805082ed8b45215f1a328faaa935b8d3d8759457ace0071dd862a38814a1a0dffe5d0b37d7c89d540c1d778228c64029ddb3c039c6d

Download Submit
memory/948-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download
memory/1724-65-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads