wannacry | 8ba1caeb6c834ffa35b6cf7875bbde3d9bc5b365ab325d2988f3a2c430536046

General

Target

0e46a10cc2b091b22e1c34f4a45d4ece_JaffaCakes118.dll
Size

5.0MB
MD5

0e46a10cc2b091b22e1c34f4a45d4ece
SHA1

c975b7dca865b11a8bebe94dbc4b0582cb82bf95
SHA256

8ba1caeb6c834ffa35b6cf7875bbde3d9bc5b365ab325d2988f3a2c430536046
SHA512

edac02cc577199aaedb6674bf737cf4f262cfa1e7b3684bfaf49cd08371b40053491b48e17f8a2ff87a4d5fa6a9a0699ff69811fce2b7f1bd124636365b1c5d9
SSDEEP

24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLK:znAQqMSPbcBVQej/1IN

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2272 mssecsvc.exe
2700 mssecsvc.exe
2568 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2272	mssecsvc.exe
2700	mssecsvc.exe
2568	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-43-c9-72-9c-36\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\7e-43-c9-72-9c-36	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-43-c9-72-9c-36\WpadDecisionTime = e06918667d9cda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\WpadDecisionTime = e06918667d9cda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-43-c9-72-9c-36	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-43-c9-72-9c-36\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2196 wrote to memory of 3048	2196	rundll32.exe	rundll32.exe
PID 2196 wrote to memory of 3048	2196	rundll32.exe	rundll32.exe
PID 2196 wrote to memory of 3048	2196	rundll32.exe	rundll32.exe
PID 2196 wrote to memory of 3048	2196	rundll32.exe	rundll32.exe
PID 2196 wrote to memory of 3048	2196	rundll32.exe	rundll32.exe
PID 2196 wrote to memory of 3048	2196	rundll32.exe	rundll32.exe
PID 2196 wrote to memory of 3048	2196	rundll32.exe	rundll32.exe
PID 3048 wrote to memory of 2272	3048	rundll32.exe	mssecsvc.exe
PID 3048 wrote to memory of 2272	3048	rundll32.exe	mssecsvc.exe
PID 3048 wrote to memory of 2272	3048	rundll32.exe	mssecsvc.exe
PID 3048 wrote to memory of 2272	3048	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e46a10cc2b091b22e1c34f4a45d4ece_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e46a10cc2b091b22e1c34f4a45d4ece_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3048

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2272

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2568

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e8a4a145bebc1c9e13d57c8757c3c263

SHA1
de8d37de2044a3adf025f5e52625daac5783a600

SHA256
a9b1f67851abb542a99e382456fe4b28991d898ed40203df391544d7ea917b86

SHA512
4b49622fa61c643fb837e56fe9a07593fa9f10a086fcdb8ec47dd7fe103f5c1b2983ee75bc185f255db1e53144457f8e6add68110d3fb17a09a5eaab57ca25a3

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
78177eb0fa6b0c24cfed2a8fe6c52be2

SHA1
0c0b4d3d9b00e7d225e785ee95967daee551bf31

SHA256
65fec100385eea10e983c589a62857befa4b9b6f1270dc4dfcdbe1a9cb66195b

SHA512
d35c4a70ecbe24d9e73b29c6269349f3a89941ee2e6cb8b663e1d85ef5730edef4557ac66c5d128ec1b28722122193b1fdd30b5c0219b244379b51db8a1a6d85

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads