wannacry | 9b11fda2f77107aa2c36508e5f34ea0b069d028b19c693a2cbf7b34e3874255a

General

Target

30fd6ffd962fefa163bcce3e00cbd58a_JaffaCakes118.dll
Size

5.0MB
MD5

30fd6ffd962fefa163bcce3e00cbd58a
SHA1

f28c18d770a3c3c14e5e9e3e2dae46106c30ce0b
SHA256

9b11fda2f77107aa2c36508e5f34ea0b069d028b19c693a2cbf7b34e3874255a
SHA512

ec37e05b8e96ffbecac4b73d53b93211066a1ef91c66427ce75333498d992d47354f52b7cabc5d6dfe1dbc3f120665c2d23118f4c34f2877cd19d176ec7464e4
SSDEEP

49152:SnAQqMSPbcBVQej/1INR6T2becwTXQo6SAARdhnvxJM0H9TlAH:+DqPoBhz1aRxbevD36SAEdhvxWa9T2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3081) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2056 mssecsvc.exe
2616 mssecsvc.exe
2744 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2056	mssecsvc.exe
2616	mssecsvc.exe
2744	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\WpadDecisionTime = a0eb217b1ba3da01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-ac-0b-2e-eb-57	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-ac-0b-2e-eb-57\WpadDecisionTime = a0eb217b1ba3da01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\7a-ac-0b-2e-eb-57	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-ac-0b-2e-eb-57\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68758131-F71B-4337-B149-E3D21C707BFB}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-ac-0b-2e-eb-57\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1688 wrote to memory of 2984	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2984	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2984	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2984	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2984	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2984	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2984	1688	rundll32.exe	rundll32.exe
PID 2984 wrote to memory of 2056	2984	rundll32.exe	mssecsvc.exe
PID 2984 wrote to memory of 2056	2984	rundll32.exe	mssecsvc.exe
PID 2984 wrote to memory of 2056	2984	rundll32.exe	mssecsvc.exe
PID 2984 wrote to memory of 2056	2984	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30fd6ffd962fefa163bcce3e00cbd58a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30fd6ffd962fefa163bcce3e00cbd58a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2984

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2056

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2744

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d5eef796d83a35a7eecbae20f586fc03

SHA1
727fab0cf02047f66d627ea9a4f824fa898607ea

SHA256
5a356ff6aaadc9770455c9333ad70636dbc1022428811abe143c3403ea2fd6f8

SHA512
e3adef9feb4c546a95b4438121e6b1ce9d8f2d2e669e61ae8d5d50bb57201c0bbe829aa6b5f1dc700951e6b7c6a3ae9ce87275024e35be111c5396b7d927282c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
49bd70db66932e48522897ab415793ed

SHA1
b8776438103d961fe4dcb48f2cb8189d0af98808

SHA256
6b079484221b9a31ae56c6561089a088b9a3572cd85cd61ca135dae672336501

SHA512
04f915be0d66d4e413de222d06be43240c5ab183a4dd75ae7eb2412c8490930e9c87c953729b8fb6df0e8b5c289e58ccd86ce43ce195934102770dcc276e4500

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads