wannacry | 83c4acbb1e62f954e10aafea37f7836a584105232ffc50b6b0ba6f0763ec2a17

General

Target

5c050085a1d97d84dd083ffe5c16b997_JaffaCakes118.dll
Size

5.0MB
MD5

5c050085a1d97d84dd083ffe5c16b997
SHA1

46bac5bebecdd5844458e53360d89f5b22ad181f
SHA256

83c4acbb1e62f954e10aafea37f7836a584105232ffc50b6b0ba6f0763ec2a17
SHA512

b94be49e7ad09ff9fd56dfb5540439340d4b0fc8150ca01d87726d1bf0f2f632d560db5d2945bcd36cd59c27d1123280545d419a27150aeafb3cb9abba3fbde8
SSDEEP

12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcFIwFg:zbLgddQhfdmMSirYFIwF

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3308) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1952 mssecsvc.exe
2656 mssecsvc.exe
2744 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1952	mssecsvc.exe
2656	mssecsvc.exe
2744	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = c07f80a243aada01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\52-a4-6c-d2-f4-72	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = c07f80a243aada01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2284 wrote to memory of 2084	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2084	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2084	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2084	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2084	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2084	2284	rundll32.exe	rundll32.exe
PID 2284 wrote to memory of 2084	2284	rundll32.exe	rundll32.exe
PID 2084 wrote to memory of 1952	2084	rundll32.exe	mssecsvc.exe
PID 2084 wrote to memory of 1952	2084	rundll32.exe	mssecsvc.exe
PID 2084 wrote to memory of 1952	2084	rundll32.exe	mssecsvc.exe
PID 2084 wrote to memory of 1952	2084	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c050085a1d97d84dd083ffe5c16b997_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c050085a1d97d84dd083ffe5c16b997_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2084

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2744

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e7c925d0f586c99459f9c5f893adbfd7

SHA1
7012330e0a36680ee9519a4aee6bee07e1ca58bd

SHA256
92844da713b6f306acb5878e9aff5dce01c06b0da71d09657744831fb4cd8c4c

SHA512
e46143f500dee1c4e10ae8bdda2cfeec01985b553debf20234c96fd33ad07907e7321e92e46ffb088f16e336bf67d54612b5a56be047a2ecf0fa3dc602569721

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3650c304c460b4f34c814c927085dcc6

SHA1
00c6dc1a4bed5c23ffafb3d920594a6715de142d

SHA256
7736edf6e9a464c5bd0f216f6421ee2d383199a3945a0a0d2fdb070b7a6de90a

SHA512
c4959107bdce40d5750e421e0e7f42383282e77476e570b246433bc8c370eb943bc5a58ab1dc4986cb1ff792ffa1df84df472ae6322628712a4bc9d12fbcb54b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads