wannacry | 957d41b5af564362c88ad2a2033c92c60f17d4ca7fe10a6805e7bf346d7b3e56

General

Target

430fb88c25b9ce5f5f8f6666538a214d_JaffaCakes118.dll
Size

5.0MB
MD5

430fb88c25b9ce5f5f8f6666538a214d
SHA1

6959809a973e3b4a4a0beec37b1b774e8238ca9b
SHA256

957d41b5af564362c88ad2a2033c92c60f17d4ca7fe10a6805e7bf346d7b3e56
SHA512

15452ce796deab26209c95c347b311128fc45a4e324d3bf1eae535585beb3b1cd90df93948d33c354dcc15b377c3fa532a87902fc6b0041b054a2dd1cbbced18
SSDEEP

49152:SnAQqMSPbcBVQej/1IhJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBhz16Wa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3338) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3060 mssecsvc.exe
2928 mssecsvc.exe
2648 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
3060	mssecsvc.exe
2928	mssecsvc.exe
2648	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84CA21AC-7C5D-4DF8-B743-14A5EC237E4F}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-fb-9a-10-0d-96	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84CA21AC-7C5D-4DF8-B743-14A5EC237E4F}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-fb-9a-10-0d-96\WpadDecisionTime = 0050c12442a6da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84CA21AC-7C5D-4DF8-B743-14A5EC237E4F}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84CA21AC-7C5D-4DF8-B743-14A5EC237E4F}\WpadDecisionTime = 0050c12442a6da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84CA21AC-7C5D-4DF8-B743-14A5EC237E4F}\a2-fb-9a-10-0d-96	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84CA21AC-7C5D-4DF8-B743-14A5EC237E4F}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-fb-9a-10-0d-96\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-fb-9a-10-0d-96\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1048 wrote to memory of 2980	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 2980	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 2980	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 2980	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 2980	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 2980	1048	rundll32.exe	rundll32.exe
PID 1048 wrote to memory of 2980	1048	rundll32.exe	rundll32.exe
PID 2980 wrote to memory of 3060	2980	rundll32.exe	mssecsvc.exe
PID 2980 wrote to memory of 3060	2980	rundll32.exe	mssecsvc.exe
PID 2980 wrote to memory of 3060	2980	rundll32.exe	mssecsvc.exe
PID 2980 wrote to memory of 3060	2980	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\430fb88c25b9ce5f5f8f6666538a214d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\430fb88c25b9ce5f5f8f6666538a214d_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2980

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3060

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2648

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
b7617437a4242212117fede7742af59c

SHA1
0b7c9e501adc2a83ed17e77fc2ab317999b010de

SHA256
9f3b097e80ab46b255c83242747cc1958c92e8cc08716b363fa0756d8532f6ba

SHA512
fcc2b8dd5fe91a8675cd8b4f173f4845ac4ee254c159d69f9d611480e9e67d3c05674b0bdde44584115c663de199aa2fcba31e5fb531dd7b2631b362e144247d

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
4dfd668a3c4cdbfaad7e9d4456647581

SHA1
fb7b0939abb03c92f6be6af36fa65d2914180576

SHA256
edb99870a96bceb131e2c83031490a2738a9bd202c0d20add651472401cc4776

SHA512
c50ee5b37850a110036faec679adf4f9a825035c6df4899f2e38da34037901fc1f07e3d703f1ace158a36068d031aa95a8d4adf0190f57203d0d501cbca053e1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads