wannacry | ff74642f90c3b465f9cbf420e97a75b08af9a06eaa44ffd84023661aaf965ac6

General

Target

2c2619f19a487324e0d8a771b660e2d5_JaffaCakes118.dll
Size

5.0MB
MD5

2c2619f19a487324e0d8a771b660e2d5
SHA1

0767faa743ed4700df19d9862b9049496946c205
SHA256

ff74642f90c3b465f9cbf420e97a75b08af9a06eaa44ffd84023661aaf965ac6
SHA512

615065c9e6c0bed1079f59f7be43b5398128e0b08c833f6eddf0636965297b97c3083773719eabb120ebcd76ee0a93fda58779377e51f31ab3ecbfbb8416cc9b
SSDEEP

98304:+2NPoBhz1aRxcSUDk36SAEdhvxWa9P593Ry2H:+2NPe1Cxcxk3ZAEUadzRxH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2039) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3040 mssecsvc.exe
2660 mssecsvc.exe
2300 tasksche.exe

pid	process
3040	mssecsvc.exe
2660	mssecsvc.exe
2300	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-7a-13-07-66-07	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7720BE3-4D55-4D47-B9E5-ED7F7AF724CE}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7720BE3-4D55-4D47-B9E5-ED7F7AF724CE}\0a-7a-13-07-66-07	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-7a-13-07-66-07\WpadDecisionTime = e036a96565a2da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7720BE3-4D55-4D47-B9E5-ED7F7AF724CE}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7720BE3-4D55-4D47-B9E5-ED7F7AF724CE}\WpadDecisionTime = e036a96565a2da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-7a-13-07-66-07\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7720BE3-4D55-4D47-B9E5-ED7F7AF724CE}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0073000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7720BE3-4D55-4D47-B9E5-ED7F7AF724CE}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-7a-13-07-66-07\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1876 wrote to memory of 1704	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1704	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1704	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1704	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1704	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1704	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1704	1876	rundll32.exe	rundll32.exe
PID 1704 wrote to memory of 3040	1704	rundll32.exe	mssecsvc.exe
PID 1704 wrote to memory of 3040	1704	rundll32.exe	mssecsvc.exe
PID 1704 wrote to memory of 3040	1704	rundll32.exe	mssecsvc.exe
PID 1704 wrote to memory of 3040	1704	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c2619f19a487324e0d8a771b660e2d5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c2619f19a487324e0d8a771b660e2d5_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1704

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3040

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2300

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
fafa048771a311fb2dcb96fd7f30b9c2

SHA1
f7bb4f6a82bb5e616a574c41b60cd3029a5b9f04

SHA256
cc2561122111e0252c2050d91fea69445c996b336e7b2dfe09a082a46b4e54ff

SHA512
ed8f4b2262221fc96a18f3b7b860baf9408c3aac4825781655af9a4e85dd0fe2b14c516ebcb734a95273c757fa15f690960df09f48550043838f47e0f1616b7f

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b37d5af62499cd8f31269fcb141a3c24

SHA1
5fd44fe4e95b4dec2e85e896110c833165edd14a

SHA256
accce946b284fd8ec10dbf389fd8ab122d81801550551c08a0264343f82164ad

SHA512
5313dd5880ab10365de0e179bf4a0cd50d64c9e2e51e00a4bcf73e4947133c466f57aae89c64ca7a650021c5149983973c52fb5ec6daa7d46c5f7b2fedf40c1f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads