wannacry | 03e0bb1da81f91a28a822dee6e113ca82db76072a5159c27e76632b770191065

General

Target

709460272380d30e81c5d1797b2ee1ab7fa62537.dll
Size

5.0MB
MD5

a35833d30e65f9a68a74f86f0b432b0e
SHA1

709460272380d30e81c5d1797b2ee1ab7fa62537
SHA256

03e0bb1da81f91a28a822dee6e113ca82db76072a5159c27e76632b770191065
SHA512

cebc1fc2a8f617ad5847eb70e35f36d8fac4892546b25f29eed6a0ed2489e230c073903de6e2a121b5553a95e386e7cfef765bb1e964e3134fcf89b172624160

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4284 created 2408 4284 WerFault.exe tasksche.exe
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

4644 mssecsvr.exe
4956 mssecsvr.exe
2408 tasksche.exe

description	pid	process	target process
PID 4284 created 2408	4284	WerFault.exe	tasksche.exe

pid	process
4644	mssecsvr.exe
4956	mssecsvr.exe
2408	tasksche.exe

Drops file in Windows directory 8 IoCs

Processes:

mssecsvr.exesvchost.exerundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1364 2408 WerFault.exe tasksche.exe

pid	pid_target	process	target process
1364	2408	WerFault.exe	tasksche.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WerFault.exe

pid process

1364 WerFault.exe
1364 WerFault.exe

pid	process
1364	WerFault.exe
1364	WerFault.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exesvchost.exe

description	pid	process
Token: SeRestorePrivilege	1364	WerFault.exe
Token: SeBackupPrivilege	1364	WerFault.exe
Token: SeShutdownPrivilege	212	svchost.exe
Token: SeCreatePagefilePrivilege	212	svchost.exe
Token: SeShutdownPrivilege	212	svchost.exe
Token: SeCreatePagefilePrivilege	212	svchost.exe
Token: SeShutdownPrivilege	212	svchost.exe
Token: SeCreatePagefilePrivilege	212	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exeWerFault.exe

description	pid	process	target process
PID 1452 wrote to memory of 1516	1452	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1516	1452	rundll32.exe	rundll32.exe
PID 1452 wrote to memory of 1516	1452	rundll32.exe	rundll32.exe
PID 1516 wrote to memory of 4644	1516	rundll32.exe	mssecsvr.exe
PID 1516 wrote to memory of 4644	1516	rundll32.exe	mssecsvr.exe
PID 1516 wrote to memory of 4644	1516	rundll32.exe	mssecsvr.exe
PID 4644 wrote to memory of 2408	4644	mssecsvr.exe	tasksche.exe
PID 4644 wrote to memory of 2408	4644	mssecsvr.exe	tasksche.exe
PID 4644 wrote to memory of 2408	4644	mssecsvr.exe	tasksche.exe
PID 4284 wrote to memory of 2408	4284	WerFault.exe	tasksche.exe
PID 4284 wrote to memory of 2408	4284	WerFault.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\709460272380d30e81c5d1797b2ee1ab7fa62537.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\709460272380d30e81c5d1797b2ee1ab7fa62537.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 604
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2408 -ip 2408
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvr.exe

MD5
fa64901f81311acd8204bfe3c2c2e4b8

SHA1
14042481238f18c63fc6709d84b261ddcef5fb1f

SHA256
70ce95163cb4f26e760d93c38278fe91572f8675073da509e7f84878bb2ce9c3

SHA512
21ab80f72986ad83a21718cd37a79ef2f401b6eb93037ff05f2d7164c243051005639f6f364fd410da2d06bf1bb12ce0dc55ee40378c62d41bcbd05209377e7e

Download Submit
C:\WINDOWS\tasksche.exe

MD5
f3887f6b0a7b004fd60b4ef7e336e184

SHA1
e7ca69898e36996c9bec4fdb174f3ac9de710169

SHA256
a990c4a9a8b9dc0aff1a390410b9613b462e6feb4fba20573a3db0be96b028ff

SHA512
905fa7f26ea65f408bae8805082ed8b45215f1a328faaa935b8d3d8759457ace0071dd862a38814a1a0dffe5d0b37d7c89d540c1d778228c64029ddb3c039c6d

Download Submit
C:\Windows\mssecsvr.exe

MD5
fa64901f81311acd8204bfe3c2c2e4b8

SHA1
14042481238f18c63fc6709d84b261ddcef5fb1f

SHA256
70ce95163cb4f26e760d93c38278fe91572f8675073da509e7f84878bb2ce9c3

SHA512
21ab80f72986ad83a21718cd37a79ef2f401b6eb93037ff05f2d7164c243051005639f6f364fd410da2d06bf1bb12ce0dc55ee40378c62d41bcbd05209377e7e

Download Submit
C:\Windows\mssecsvr.exe

MD5
fa64901f81311acd8204bfe3c2c2e4b8

SHA1
14042481238f18c63fc6709d84b261ddcef5fb1f

SHA256
70ce95163cb4f26e760d93c38278fe91572f8675073da509e7f84878bb2ce9c3

SHA512
21ab80f72986ad83a21718cd37a79ef2f401b6eb93037ff05f2d7164c243051005639f6f364fd410da2d06bf1bb12ce0dc55ee40378c62d41bcbd05209377e7e

Download Submit
C:\Windows\tasksche.exe

MD5
f3887f6b0a7b004fd60b4ef7e336e184

SHA1
e7ca69898e36996c9bec4fdb174f3ac9de710169

SHA256
a990c4a9a8b9dc0aff1a390410b9613b462e6feb4fba20573a3db0be96b028ff

SHA512
905fa7f26ea65f408bae8805082ed8b45215f1a328faaa935b8d3d8759457ace0071dd862a38814a1a0dffe5d0b37d7c89d540c1d778228c64029ddb3c039c6d

Download Submit
memory/212-135-0x0000027BC1330000-0x0000027BC1340000-memory.dmp

Filesize
64KB

Download
memory/212-136-0x0000027BC1390000-0x0000027BC13A0000-memory.dmp

Filesize
64KB

Download
memory/212-137-0x0000027BC4070000-0x0000027BC4074000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads