wannacry | 5a2204b32ac7c60004c6a214effa87b5b9d9e647b60d1a1d62e44eebdd2bc93e

General

Target

30269a68cddaebb3be0b1dffc64b0a68_JaffaCakes118.dll
Size

5.0MB
MD5

30269a68cddaebb3be0b1dffc64b0a68
SHA1

ed3a7ab1165e1e5e74bc5ae43947b6e105e170b7
SHA256

5a2204b32ac7c60004c6a214effa87b5b9d9e647b60d1a1d62e44eebdd2bc93e
SHA512

37bc8164382144e04419b5060c505252424f62d90b6ab364eb564b42bac9cda5387914e3e660473f3cddb0b5786d64ca50927fcff7554e863011e5cb101a0720
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0Bt/8uME7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVB3R8yAH1plAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3330) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2984 mssecsvc.exe
2596 mssecsvc.exe
2580 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2984	mssecsvc.exe
2596	mssecsvc.exe
2580	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{99639D30-8C40-4CE6-8D6D-1BB64B64EB28}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{99639D30-8C40-4CE6-8D6D-1BB64B64EB28}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-ae-e2-2f-b0-45	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{99639D30-8C40-4CE6-8D6D-1BB64B64EB28}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{99639D30-8C40-4CE6-8D6D-1BB64B64EB28}\56-ae-e2-2f-b0-45	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-ae-e2-2f-b0-45\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-ae-e2-2f-b0-45\WpadDecisionTime = 40fe72a0fca2da01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{99639D30-8C40-4CE6-8D6D-1BB64B64EB28}\WpadDecisionTime = 40fe72a0fca2da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ab000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{99639D30-8C40-4CE6-8D6D-1BB64B64EB28}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-ae-e2-2f-b0-45\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2972 wrote to memory of 2372	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 2372	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 2372	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 2372	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 2372	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 2372	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 2372	2972	rundll32.exe	rundll32.exe
PID 2372 wrote to memory of 2984	2372	rundll32.exe	mssecsvc.exe
PID 2372 wrote to memory of 2984	2372	rundll32.exe	mssecsvc.exe
PID 2372 wrote to memory of 2984	2372	rundll32.exe	mssecsvc.exe
PID 2372 wrote to memory of 2984	2372	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30269a68cddaebb3be0b1dffc64b0a68_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30269a68cddaebb3be0b1dffc64b0a68_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2372

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2984

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2580

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d9f34b53dea18e9572d5483c63f1cb0f

SHA1
98e311a6572a6dc6a1ff6bd72b03237d7e7d1bbb

SHA256
c9a1d6bb9d440c7cbb2c1b29a0d6e3a5d506bb54ae74749a9118b5d44d0fec48

SHA512
263d3343b1f54555c5db90dcf2e0ea4ae714a5487c2509da228f2a05ef49744e27a854cbaa6acd8a7b2547c97eb366cf2c03e758c7d31276c19ca26ee72b7bc1

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
85dfcfd62baa38208ae5fadc00c38e81

SHA1
ff360bad8a9f6f412b1ead2229fdcef650077ce3

SHA256
cb7588b2c300fd90fdd381b67c5d40f4e43bd4f0598007353dc948680c971f74

SHA512
3a3602612f1c0e1d9700729ee42eb4c87735f5fbedc71d706897a9d587736bff60a9dbc2688b317cdfc63b9a3483f95f1ab560a8a42e37f455f7bf653fdd777d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads