wannacry | 5afe1af7c8e1d6d57a05c8d8124e5482f5f93d53e35a3901bfd5bdaea666e2a1

General

Target

4379cf61c84bc977e3ca7cf96f81c6c9_JaffaCakes118.dll
Size

5.0MB
MD5

4379cf61c84bc977e3ca7cf96f81c6c9
SHA1

6b8120e8c6911aaea757d9b25bdb8b7d6a6d2923
SHA256

5afe1af7c8e1d6d57a05c8d8124e5482f5f93d53e35a3901bfd5bdaea666e2a1
SHA512

0a27bd875fc38beeaf0cd72840a49bdc576b7da9def191c75c21bd37243abe1d739417dce6643d28a254266bcae030537d08d8e75339cfff3a219aaf71977ca3
SSDEEP

98304:+DqPoBhz1aRxcSUDXdhvxWa9P593R8yAVp2H:+DqPe1CxcxXUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3068) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2120 mssecsvc.exe
2644 mssecsvc.exe
2740 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2120	mssecsvc.exe
2644	mssecsvc.exe
2740	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\5e-dd-44-d3-61-61	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecisionTime = 40b0ce7953a6da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecisionTime = 40b0ce7953a6da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2876 wrote to memory of 2244	2876	rundll32.exe	rundll32.exe
PID 2876 wrote to memory of 2244	2876	rundll32.exe	rundll32.exe
PID 2876 wrote to memory of 2244	2876	rundll32.exe	rundll32.exe
PID 2876 wrote to memory of 2244	2876	rundll32.exe	rundll32.exe
PID 2876 wrote to memory of 2244	2876	rundll32.exe	rundll32.exe
PID 2876 wrote to memory of 2244	2876	rundll32.exe	rundll32.exe
PID 2876 wrote to memory of 2244	2876	rundll32.exe	rundll32.exe
PID 2244 wrote to memory of 2120	2244	rundll32.exe	mssecsvc.exe
PID 2244 wrote to memory of 2120	2244	rundll32.exe	mssecsvc.exe
PID 2244 wrote to memory of 2120	2244	rundll32.exe	mssecsvc.exe
PID 2244 wrote to memory of 2120	2244	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4379cf61c84bc977e3ca7cf96f81c6c9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4379cf61c84bc977e3ca7cf96f81c6c9_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2120

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2740

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5158b00828ce20ecbeca10af0fee06a0

SHA1
da8326e8fb5f94566500b152f9d434d7e7232999

SHA256
da0264e42ca665c9e5788d11a2c23f9ed29f984cb48c3dbc58e7372f6e2406ed

SHA512
ddc75964735125eab1b8d1ae431112b5f6d68a77bc84f038fc69d5fc333698fe22babc286110ce1ae1013bde309ed0e00ac9f2d04137d3b2c0ac33144133185b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
0bf76c07bc449929c39ea15852d5f84f

SHA1
9e3d9d13a6102a9f04f14dfef0862f16e48f30e0

SHA256
7eb3e0b29552122441b6ffd26a315cce30b794ef49ae239f5b63e6eaaba23a71

SHA512
42465d1b8d060fcd27a3af680af00f7fd75093a0b31c45c69a86599ae18ee1234b2821e6ebf540a3ffd4b3d54b6e3962593dc9c9c928eca77ceac42c4dd5d809

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads