wannacry | 865b10d9b9e7469d6f48b2a488da995a311c6875ee23d946e0c90cab7bbce773

General

Target

318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll
Size

5.0MB
MD5

318ef9cfc9a05e31a05bf1ec3c2b2109
SHA1

c1eb85e5f6692f062242b5959f44d8b26e616833
SHA256

865b10d9b9e7469d6f48b2a488da995a311c6875ee23d946e0c90cab7bbce773
SHA512

e0d6a5083e09854d6255c60d71201d5822e080725c14464328254fd43562257407aa6ae8405f0eb00cc3c332d2b21f966490d7ecbccb72a7aa2876a6a6cc5ad7
SSDEEP

24576:zbLgddQhfdmMSirYbcMNgef0U6SASk+Kdq/:znAQqMSPbcBVU6SAA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3281) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2968 mssecsvc.exe
2148 mssecsvc.exe
2716 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2968	mssecsvc.exe
2148	mssecsvc.exe
2716	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0047000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecisionTime = 10f37c0b31a3da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\f6-49-19-7d-c6-ed	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecisionTime = 10f37c0b31a3da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2888 wrote to memory of 2952	2888	rundll32.exe	rundll32.exe
PID 2888 wrote to memory of 2952	2888	rundll32.exe	rundll32.exe
PID 2888 wrote to memory of 2952	2888	rundll32.exe	rundll32.exe
PID 2888 wrote to memory of 2952	2888	rundll32.exe	rundll32.exe
PID 2888 wrote to memory of 2952	2888	rundll32.exe	rundll32.exe
PID 2888 wrote to memory of 2952	2888	rundll32.exe	rundll32.exe
PID 2888 wrote to memory of 2952	2888	rundll32.exe	rundll32.exe
PID 2952 wrote to memory of 2968	2952	rundll32.exe	mssecsvc.exe
PID 2952 wrote to memory of 2968	2952	rundll32.exe	mssecsvc.exe
PID 2952 wrote to memory of 2968	2952	rundll32.exe	mssecsvc.exe
PID 2952 wrote to memory of 2968	2952	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2952

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2968

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2716

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
389c073a096bc2d1b08729365cf82802

SHA1
46235da95b5877eeb65bc230297ab3dd400d238a

SHA256
be01cb362759e1d821227542dbb9358e962e62198881b83d86e29eb21d116f54

SHA512
2c906dda9dff934474118582301dc586c13abe9666754b0d16333e8925f3bc6e7f22401e94c7e3e9584924b37b14024604285d26517201ced97e063cf8c9ec7b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
1a46563038a0cb83090bae987da31a82

SHA1
414ff3501b8f7f31e41b2543a7c2d0256fe783d7

SHA256
7547a90d72937e374589301b3da01af5d9a962e0548d9615df7f13b1c2b1baca

SHA512
6dbb12754321127c640340f2fd586f6a4f36fec88f32973e3f69818752ac8ee727404acaf5a689edd5b8b007358a40c90e00e34472c73b25e84502d07ed8fb77

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads