wannacry | 0044e04af55e740a58b3684dd927b95a14f7b7bc3abc22ba11dafefa348de058

General

Target

269322b335e4e231129fbbc8928843ce_JaffaCakes118.dll
Size

5.0MB
MD5

269322b335e4e231129fbbc8928843ce
SHA1

ef8b5a9e759de887d517b737fec7cc8cc170fbb9
SHA256

0044e04af55e740a58b3684dd927b95a14f7b7bc3abc22ba11dafefa348de058
SHA512

b6501f27966d645db90ee4ae2c2d9844c2c4186a4dcc7238ad955c49a6cc2aef7ae65f6f051ea8d67459f8a03f270e80423baa2c1ef6a5d517f37aaa38c6ab62
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59:+DqPe1Cxcxk3ZAEUad

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3111) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1260 mssecsvc.exe
3048 mssecsvc.exe
2556 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1260	mssecsvc.exe
3048	mssecsvc.exe
2556	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecisionTime = 70657c9185a1da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecisionTime = 70657c9185a1da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\9a-1d-ac-c2-a1-15	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2060 wrote to memory of 2760	2060	rundll32.exe	rundll32.exe
PID 2060 wrote to memory of 2760	2060	rundll32.exe	rundll32.exe
PID 2060 wrote to memory of 2760	2060	rundll32.exe	rundll32.exe
PID 2060 wrote to memory of 2760	2060	rundll32.exe	rundll32.exe
PID 2060 wrote to memory of 2760	2060	rundll32.exe	rundll32.exe
PID 2060 wrote to memory of 2760	2060	rundll32.exe	rundll32.exe
PID 2060 wrote to memory of 2760	2060	rundll32.exe	rundll32.exe
PID 2760 wrote to memory of 1260	2760	rundll32.exe	mssecsvc.exe
PID 2760 wrote to memory of 1260	2760	rundll32.exe	mssecsvc.exe
PID 2760 wrote to memory of 1260	2760	rundll32.exe	mssecsvc.exe
PID 2760 wrote to memory of 1260	2760	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\269322b335e4e231129fbbc8928843ce_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\269322b335e4e231129fbbc8928843ce_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2760

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1260

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2556

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a4a0d0acde8a7bd947043ed7a15be4ac

SHA1
bfa29be48c3d837989fff26225f93d18a62f0bb9

SHA256
bda20a1896bb26b43d1e2dc04207e033c1fa8e5bbe05b1e5d779450634afaa1a

SHA512
b3f5342fc6564cb65dc9e097d6438834ee0586973717c8e7659a693c22708dc88d98b6186423c823d11a1f24bc972d90e634a7985be49c4d1aa98ebddcad5576

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
5dbd99dcb1e13fef32132534e4f1770f

SHA1
0d7d1c89e2da9602c9279b6e8454292fec0ab61f

SHA256
1d80cb4c8ad9b72dbdeaee37b76f385cbef663c69338cb965dfffee6190d2f00

SHA512
83e077241955817e403d7d018632c90fc73b2865030ba9b449707e3718d484653e051767805f02809087d9f8f639a87fece54c61f04fe8e6ded9563496b489c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads