wannacry | 6bb91cc643e06254aea95a04a3660c5ac4906d7a812336d3e13c0c586185005c

General

Target

219407ddfd792bd58cba6b267ddef3cc_JaffaCakes118.dll
Size

5.0MB
MD5

219407ddfd792bd58cba6b267ddef3cc
SHA1

d5d64075255259f871b68dd1f6c67a5dfac1bb09
SHA256

6bb91cc643e06254aea95a04a3660c5ac4906d7a812336d3e13c0c586185005c
SHA512

5a3811a7ec1ca207d868701b7964ea6d0d07d5799f9ddd5997803c054a6ae6a6471d1efe50e8df2e689e9bb70e7cbd911b146a20d2f627b9c143c83ce5654c13
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S9I5c/bXZROAx:+DqPoBhz1aRxcSUDk36SQc/J

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3198) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1708 mssecsvc.exe
2960 mssecsvc.exe
2652 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1708	mssecsvc.exe
2960	mssecsvc.exe
2652	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecisionTime = 20c5f653bca0da01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\06-cb-7e-1e-58-a7	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecisionTime = 20c5f653bca0da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1676 wrote to memory of 1612	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1612	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1612	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1612	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1612	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1612	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1612	1676	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 1708	1612	rundll32.exe	mssecsvc.exe
PID 1612 wrote to memory of 1708	1612	rundll32.exe	mssecsvc.exe
PID 1612 wrote to memory of 1708	1612	rundll32.exe	mssecsvc.exe
PID 1612 wrote to memory of 1708	1612	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\219407ddfd792bd58cba6b267ddef3cc_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\219407ddfd792bd58cba6b267ddef3cc_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2652

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
400afff4fe67c41072d656d3407f8be8

SHA1
693c3f1b80368b21ef841d43b6ab5aae538c3ecf

SHA256
a5394c768777bb735aff3d03d003b2339e647766a4fa45bb254a89385cc737eb

SHA512
3f97f3a7bb07ee51e50e7e6c1527660ace75e2e52934fcf83a1b245bd3dde870330bce6a4726e4e759681c9f0ed956a122d8c55a96202e1ac3720f6ddaa5c61e

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
dd4f1eceb27794a507d5ab787ce90a64

SHA1
4c1ace4632fb448c4ceb03d87d42a2512f8ec943

SHA256
ee3da15414211d673fd5ee868b50cfc69d731431e5fc3148eee0d40e7615c1bd

SHA512
f8868cb30abe2240bb9e2221be8a69ab676b8cad9c07486a4b4490ec256bc86d9ba7e40fd1b22c19824b9ad503800166c7fcc33e3f8ae4e26ebb70118bca4869

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads