wannacry | b7cd6dd1c7f50335f963579cdf4edf9757a6eaad7315008de9ac356df50d308a

General

Target

2d04879574db0fa7bab32ab742d87132_JaffaCakes118.dll
Size

5.0MB
MD5

2d04879574db0fa7bab32ab742d87132
SHA1

6c9002b88f564e3f294c84e2578ad2e453f0eafd
SHA256

b7cd6dd1c7f50335f963579cdf4edf9757a6eaad7315008de9ac356df50d308a
SHA512

2001b30e210bceba9db40206b19d351ca92293a4d70b8775e9a4abc8626eb2ee8256aa0d2693a0a5f40aed195adec9c29efbf705b2986ace613590639b0e960a
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8y:+DqPe1Cxcxk3ZAEUadzR8y

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2184 mssecsvc.exe
3016 mssecsvc.exe
2600 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2184	mssecsvc.exe
3016	mssecsvc.exe
2600	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\a2-48-c5-91-63-73	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b03cb94a86a2da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b03cb94a86a2da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0054000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1540 wrote to memory of 2316	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 2316	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 2316	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 2316	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 2316	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 2316	1540	rundll32.exe	rundll32.exe
PID 1540 wrote to memory of 2316	1540	rundll32.exe	rundll32.exe
PID 2316 wrote to memory of 2184	2316	rundll32.exe	mssecsvc.exe
PID 2316 wrote to memory of 2184	2316	rundll32.exe	mssecsvc.exe
PID 2316 wrote to memory of 2184	2316	rundll32.exe	mssecsvc.exe
PID 2316 wrote to memory of 2184	2316	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d04879574db0fa7bab32ab742d87132_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d04879574db0fa7bab32ab742d87132_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2184

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2600

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0948f520863398a0d4b3cd9729959949

SHA1
cd68bada66aaff82ff1b1b6576505b3025c4f65a

SHA256
5f270030cb7982ede1a2e56b38224c21d332ea99f2183a1919e8230c6fd5a1df

SHA512
77d9d9cf8041348a97ba4768efcfac87a4af6f276aa32d7032b77f6ceed06cfe0e7d89c6645c5170ada4d4272b8d1e826c3a38598f41400fb2fd46676ca3d957

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f28e5ab4c2321dcf913e49901334185d

SHA1
ed968091ba6aac5902e700657bd3dc6cc4d0f2d5

SHA256
244c9c4cb0dca8d74f3eaae6383c27458acc4eac9f39f3ad77badfd96e7f0daa

SHA512
25fd0c1ae39160c86fe2f0a0abcda44be6e1c4f919f60d2d937372f2537c18054b11c9f786b517496256484506ddee83a234295305c619f7fef83282a4cf7945

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads