wannacry | 75b14a7bdef9667c0e003351320e0a8a246a57db3ca648d8a424b0b3d3271792

General

Target

160b4ee7ffde7e6c168ffecacdc48f2f_JaffaCakes118.dll
Size

5.0MB
MD5

160b4ee7ffde7e6c168ffecacdc48f2f
SHA1

99c5a256999ea68c81f76056411aee25733aba2d
SHA256

75b14a7bdef9667c0e003351320e0a8a246a57db3ca648d8a424b0b3d3271792
SHA512

486de3f5663c2e5d1862b4148733fded67a3c32262b52eb783d3dc2dc5aceddcf34093ee3d28ba97ca0fd729d32ce2cd5f70e2cb516bf9c396ee9653e02343c0
SSDEEP

12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DdcL9gMZE/oy:SbLgddQhfdmMSirYbcMNgef0z9XEk

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3135) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2384 mssecsvc.exe
2556 mssecsvc.exe
2644 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2384	mssecsvc.exe
2556	mssecsvc.exe
2644	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionTime = 30c9ec33a79eda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionTime = 30c9ec33a79eda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\d6-8e-05-c7-1d-61	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2076 wrote to memory of 1616	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 1616	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 1616	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 1616	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 1616	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 1616	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 1616	2076	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 2384	1616	rundll32.exe	mssecsvc.exe
PID 1616 wrote to memory of 2384	1616	rundll32.exe	mssecsvc.exe
PID 1616 wrote to memory of 2384	1616	rundll32.exe	mssecsvc.exe
PID 1616 wrote to memory of 2384	1616	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\160b4ee7ffde7e6c168ffecacdc48f2f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\160b4ee7ffde7e6c168ffecacdc48f2f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1616

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2384

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2644

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
f162a3457e92b25a85e9a616ba88a091

SHA1
36fa7624e89e7980856531887900d7d98e341511

SHA256
16cfdb04d04098874b0d77a63f9688d9421ef5e0d4706219e4dc004a297a60ba

SHA512
dd9920a2a19ba91a8066b1ea84b5df3bee216d6742f4c312144a3f768dfa6e69e714029443fe40f60d5801bb252c417050948422e64831ac002a1cba01688985

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
10ad273a094f18d455d4de016f634a39

SHA1
8d11a4722fea582a4b8873c7ed7b57107ceaba45

SHA256
294b42bf9aa8f33f34181bc9fca1674e484d640fe4e01d34b4338d9680582df9

SHA512
cf115b350aec84553ee97b2a11909461351a7e11cfb49d42f98a3c7b2ce2c857fb67d3ae554f49aad8bfcb68efeeda46761a508862cc4fa7fe84369921ebeeb8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads