wannacry | 67fb76c4fabd6e4bc050e2fc5dd3751b5d7d8e8eb0ef739cae9524e9f404c661

General

Target

501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll
Size

5.0MB
MD5

501dc5ce9e1ef2b61cedefeb887e4bdf
SHA1

c4b666275cca5fa6f45a72588b8858293dfc8322
SHA256

67fb76c4fabd6e4bc050e2fc5dd3751b5d7d8e8eb0ef739cae9524e9f404c661
SHA512

54fdfed9125c1d3ddea0c87bdad326a39f24a0aaa6e09356a17403bf99fae40f91b7c5e59820c8453d8f212d805c9f4b42f6d4c79000f24a31b18f6b83d6bdf5
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3107) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2364 mssecsvc.exe
1732 mssecsvc.exe
2140 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2364	mssecsvc.exe
1732	mssecsvc.exe
2140	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADE1A363-6505-46B1-A587-1135F8646CF4}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADE1A363-6505-46B1-A587-1135F8646CF4}\WpadDecisionTime = 409a7d3a6ba8da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-1e-7e-b5-6b-35\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADE1A363-6505-46B1-A587-1135F8646CF4}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADE1A363-6505-46B1-A587-1135F8646CF4}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADE1A363-6505-46B1-A587-1135F8646CF4}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-1e-7e-b5-6b-35	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-1e-7e-b5-6b-35\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADE1A363-6505-46B1-A587-1135F8646CF4}\ea-1e-7e-b5-6b-35	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-1e-7e-b5-6b-35\WpadDecisionTime = 409a7d3a6ba8da01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 1720	1736	rundll32.exe	rundll32.exe
PID 1720 wrote to memory of 2364	1720	rundll32.exe	mssecsvc.exe
PID 1720 wrote to memory of 2364	1720	rundll32.exe	mssecsvc.exe
PID 1720 wrote to memory of 2364	1720	rundll32.exe	mssecsvc.exe
PID 1720 wrote to memory of 2364	1720	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1720

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2364

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2140

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
1438b1a728e349833aefc78d2cf3444b

SHA1
a4e026c165c94dee9e4f23968376c0c5e663d2ce

SHA256
10848a23a4bb66b68e1e822ae097b20de861a21134043fdb7aa567437fbdd512

SHA512
67f2ade068270d523a709ad6e2a1f9e56ff2138bed1738660a143a56903f73c48e1e7268c4065c186c8343de1d649f12a4c15d56d32ed2aedf31c14dbb6f7c2a

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
23e2fc74db39af10ec21a185e98203d0

SHA1
927df4391803a683658fd6c741e2fc6159c25e1e

SHA256
020184730bcb72d346a6ceedb88f13e226ea037fea9116f92ba121d1452f0d4d

SHA512
45c29409448fccd138a5fb31bff1dae67b8d8f03c6d7a4e1a1598eed9cebb8f3e102a9355b59ef232485e32fda6ae4cdce6ce1fdadfe1b51756dc93b12646d0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads