wannacry | 9bde5e19c245919890fee8337a38a915637eb962134858f4ba1cf52fc77e04bf

General

Target

4f2bfd712a01aebb799326e1e1db66ff_JaffaCakes118.dll
Size

5.0MB
MD5

4f2bfd712a01aebb799326e1e1db66ff
SHA1

21b9dda55b3d7444b82568903d67b2d984440d08
SHA256

9bde5e19c245919890fee8337a38a915637eb962134858f4ba1cf52fc77e04bf
SHA512

f99145a414d49b6896d98e1f435b269711f51fd54e988dab974a64a77cadd37d63856eff04b779421e116f60c17be4700f1d87b54c011fb77d290561c40d885f
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9E3R8yAVp2H:+DqPe1Cxcxk3ZAEUaUR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3196) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2428 mssecsvc.exe
2340 mssecsvc.exe
2668 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2428	mssecsvc.exe
2340	mssecsvc.exe
2668	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0048000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecisionTime = 40eeb26a34a8da01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecisionTime = 40eeb26a34a8da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\7e-ee-d0-44-56-aa	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2548 wrote to memory of 2972	2548	rundll32.exe	rundll32.exe
PID 2548 wrote to memory of 2972	2548	rundll32.exe	rundll32.exe
PID 2548 wrote to memory of 2972	2548	rundll32.exe	rundll32.exe
PID 2548 wrote to memory of 2972	2548	rundll32.exe	rundll32.exe
PID 2548 wrote to memory of 2972	2548	rundll32.exe	rundll32.exe
PID 2548 wrote to memory of 2972	2548	rundll32.exe	rundll32.exe
PID 2548 wrote to memory of 2972	2548	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 2428	2972	rundll32.exe	mssecsvc.exe
PID 2972 wrote to memory of 2428	2972	rundll32.exe	mssecsvc.exe
PID 2972 wrote to memory of 2428	2972	rundll32.exe	mssecsvc.exe
PID 2972 wrote to memory of 2428	2972	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f2bfd712a01aebb799326e1e1db66ff_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f2bfd712a01aebb799326e1e1db66ff_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2668

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
6dd1fb0f0f6a9ce1d43b9f7a850fccf7

SHA1
c9446988e6590bb3405f771ae4e3f8863244963b

SHA256
091c32a21a94673080b1a8b6b66d4e2cd823cb9412e171146fd894998902cf19

SHA512
e3cbe5a7518b6501b2544fc2f248fe3c0d554003f12fc7ab355526593d4285599a5730d1b4102e4275179a30107bc7462e56d5c3f60007ba9d78a441870db9d4

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
fd38e14572d632ed874b7cae3518eaa5

SHA1
12b2ef10b1ac6c60e106f2427f7ea471d4a36938

SHA256
858ce8d1e99a24dc7666567798d9e938a1d2de20d1448b4804e1cb9bea1f76ea

SHA512
7c97076979324650bbf292b23aac2cf1559a5bbff168db0f2189b86b23a3f95ddc12845013d3060637cead2167610da98274fe5a39f8ebe571a27bd136731075

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads