wannacry | 34bad26f44899f682f3d85b1c860d1189656f982988013a9d80d4870f2167d1d

General

Target

27554181da0fcc076c77efa2a38b4c0a_JaffaCakes118.dll
Size

5.0MB
MD5

27554181da0fcc076c77efa2a38b4c0a
SHA1

272f3944342dd99f9774b1399a6e40c1db65ebcb
SHA256

34bad26f44899f682f3d85b1c860d1189656f982988013a9d80d4870f2167d1d
SHA512

a523d9a9acc0d973edfd5d1fd2c49ccb28f5a46ac1e70c9fb01c97005a3aeff76d0c9caf38c7040d81d2af3b406d0aef6957ce695a7ca96975512939048c6fa1
SSDEEP

49152:SnAQqMSPbcBVQej/ZXvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBhzZ/xWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3191) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2812 mssecsvc.exe
2680 mssecsvc.exe
2720 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2812	mssecsvc.exe
2680	mssecsvc.exe
2720	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\5e-15-e7-ce-c4-81	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-15-e7-ce-c4-81\WpadDecisionTime = e0f1e8e1a3a1da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\WpadDecisionTime = e0f1e8e1a3a1da01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-15-e7-ce-c4-81\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-15-e7-ce-c4-81	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-15-e7-ce-c4-81\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2992 wrote to memory of 2076	2992	rundll32.exe	rundll32.exe
PID 2992 wrote to memory of 2076	2992	rundll32.exe	rundll32.exe
PID 2992 wrote to memory of 2076	2992	rundll32.exe	rundll32.exe
PID 2992 wrote to memory of 2076	2992	rundll32.exe	rundll32.exe
PID 2992 wrote to memory of 2076	2992	rundll32.exe	rundll32.exe
PID 2992 wrote to memory of 2076	2992	rundll32.exe	rundll32.exe
PID 2992 wrote to memory of 2076	2992	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 2812	2076	rundll32.exe	mssecsvc.exe
PID 2076 wrote to memory of 2812	2076	rundll32.exe	mssecsvc.exe
PID 2076 wrote to memory of 2812	2076	rundll32.exe	mssecsvc.exe
PID 2076 wrote to memory of 2812	2076	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27554181da0fcc076c77efa2a38b4c0a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27554181da0fcc076c77efa2a38b4c0a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2076

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2812

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2720

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
47485294e0abede12affc7da1f594fd6

SHA1
909400149ac9f5c08816abe316caa1265d4313ae

SHA256
b14cd140975fd128812555116bcb650122adc840ae51e21913022a91192125ef

SHA512
8f5fb7a988335357c08bfce0ce8f6fd8aeec7532d4025c59d86cecb283bb7df8ec4cee8b1b5774a9b05e998d74ec4bbe6ee3cd73b4adade94fd943a48e69fd82

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
ca1f60f9db09427ff802c34917f70adc

SHA1
cfdbcf44248476d52b55b1950e3edeeb0f5b5073

SHA256
90994a01b9937d3351397c4dbf0b352383ac083f1a5b5270bc911d99c9f9b152

SHA512
7fcd812c2d17cfbdf30d8343a1876e66bd273bbf2a927e9ca53e6b2cb2f4576add11d70b81ba9f20aa60a6a86b4a7aaac359b516bfb27160476b5d4d04d681ca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads