wannacry | 427453cd2e3bada668d880e6eec35e83a92532263df7e69d2f67f30e627edf93

General

Target

2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll
Size

5.0MB
MD5

2ec7d1f90d57b3f3e5057e3b032bea5a
SHA1

63536a6303c855181bf6a57fbf68d6e3b2e55145
SHA256

427453cd2e3bada668d880e6eec35e83a92532263df7e69d2f67f30e627edf93
SHA512

d0beb1dc06e9fcdcba033c5a7fc39d5453ffafadf6667f6a5fafbfb0a057c4b2e31ac112ccb22a0b80b92c792c0164e5e7e6460652641fcce54978d36a763857
SSDEEP

49152:SnAQqMSPbcBVQej/1IN5AMEcQEau3R8yAH1plAH:+DqPoBhz1a55T3R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3170) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2100 mssecsvc.exe
2052 mssecsvc.exe
2640 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2100	mssecsvc.exe
2052	mssecsvc.exe
2640	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0039000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-6f-27-c5-88-1c	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-6f-27-c5-88-1c\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-6f-27-c5-88-1c\WpadDecisionTime = c0e7a159c9a2da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\WpadDecisionTime = c0e7a159c9a2da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\32-6f-27-c5-88-1c	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-6f-27-c5-88-1c\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1084 wrote to memory of 1816	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1816	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1816	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1816	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1816	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1816	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1816	1084	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 2100	1816	rundll32.exe	mssecsvc.exe
PID 1816 wrote to memory of 2100	1816	rundll32.exe	mssecsvc.exe
PID 1816 wrote to memory of 2100	1816	rundll32.exe	mssecsvc.exe
PID 1816 wrote to memory of 2100	1816	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1816

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2100

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2640

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
1b2a00a37ef42709cc56b202a834f8ee

SHA1
2042224f22294df4629d4f4cb0946761387cbf08

SHA256
fdd0e31bbb92fdda81ab4d2a13a3bebff0ba4627a8fb623822a421309765979f

SHA512
7dacf94cd985277a88e7a9fe1a2b5ca7eaf2205df65a61f8216e34d3bf75d43ae1c472c20f05c24c2f25c1c163f5541baf4ca7eec03bad56d083101900c84411

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
02fe7a6b7dd8d5ba72d6027753a24d9c

SHA1
b950375dc5fdc23af5b40a748963fb80b8bc2e46

SHA256
a99fd8d4b4b0ca08f0a5c0687d96207a6d6718e07dfcc8206cb86bea3e8db5ec

SHA512
bf101c3f77f8b636cdcd9e516faf51de49598ca6d9b0af1469bff6632766c0b4811966f22c9067ba20753d0cb9f70b216fe43d10f4360c04773a7e97b81efa39

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads