wannacry | ad23984d8f9812e3fad7678f27047fc02ae32df440a49afe3af810a5fdc282e2

General

Target

15d83ee4639da1901b35df7a5b0e9a39_JaffaCakes118.dll
Size

5.0MB
MD5

15d83ee4639da1901b35df7a5b0e9a39
SHA1

61a438e87311b8703e18c227fa81779508c19840
SHA256

ad23984d8f9812e3fad7678f27047fc02ae32df440a49afe3af810a5fdc282e2
SHA512

e8bd126be0269f5162a382765e53d4a506367434fac94ff157347b58687846878de28950584f011bad9689c28fad08b26d4fb48ba2aa3541cb720115bd5eff9a
SSDEEP

49152:SnAQqMSPbcBVQej/1cOQ77JU+3qrNei6Omk:+DqPoBhz1GU+3az6Omk

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3354) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1716 mssecsvc.exe
2604 mssecsvc.exe
2712 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1716	mssecsvc.exe
2604	mssecsvc.exe
2712	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cd-e7-ec-a5-5b\WpadDecisionTime = 40f0d7289f9eda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cd-e7-ec-a5-5b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cd-e7-ec-a5-5b\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\WpadDecisionTime = 40f0d7289f9eda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cd-e7-ec-a5-5b\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\02-cd-e7-ec-a5-5b	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2012 wrote to memory of 2088	2012	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 2088	2012	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 2088	2012	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 2088	2012	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 2088	2012	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 2088	2012	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 2088	2012	rundll32.exe	rundll32.exe
PID 2088 wrote to memory of 1716	2088	rundll32.exe	mssecsvc.exe
PID 2088 wrote to memory of 1716	2088	rundll32.exe	mssecsvc.exe
PID 2088 wrote to memory of 1716	2088	rundll32.exe	mssecsvc.exe
PID 2088 wrote to memory of 1716	2088	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15d83ee4639da1901b35df7a5b0e9a39_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15d83ee4639da1901b35df7a5b0e9a39_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2088

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1716

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2712

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
45ec1df191a2b8a4c7bf6ccd2edd22e0

SHA1
ef35ca0d18bd79a5431442f84e394cd12a47cf31

SHA256
fbbfaa997091cc29e7dbf8e03d5f0eb2e36de972405aa1f35f111fe302559a33

SHA512
3c10e97b15692aaf845ec5f5478d6f1e6c74093f40a349d8a5aef65894c5f2af1b0648dc6001d04775fd441bd15b34963cc12579206143f0b461d265afc49a03

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9e6a3c0f1bfeef80cfccddbe072d1af9

SHA1
1a7e70ef21c28ecfca1a66823be7706a4954a0cf

SHA256
bcde665864a4da5e5edef9c75026ffa4c4fc0914844c8b7b354cf882b592c3d3

SHA512
ac81fa42b2b613d775e26a6e86360b821fc4ba5fb35c50559744d96cf31bfe7e9a2c3d94f5615f4474ffa5085112903cba7cc24d09a2c806ede0f52d4b334aa2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads