wannacry | f495d34a21134295ddf1425fd4f471b659fd46e8d35e954bcd02b81b3dfdd3ee

General

Target

612b79c7d1edab76db51047ccb5f85c1_JaffaCakes118.dll
Size

5.0MB
MD5

612b79c7d1edab76db51047ccb5f85c1
SHA1

cf3b6de3fc093574d3a4f580cbc0ae8bbea19dbf
SHA256

f495d34a21134295ddf1425fd4f471b659fd46e8d35e954bcd02b81b3dfdd3ee
SHA512

560b591d7dd743f2cc37899be411bbf6d9c84e8f2f4cb5b71b967b0b6b813b4b34b151af6ec62caa3c326e54f429cebef768180129c78322f1bd8f99d2c6b97d
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTJ6SAARdhnvxJM0H9PAMEcaEau3I:+DqPoBhz1aRxcSUJ6SAEdhvxWa9P593

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2990) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2616 mssecsvc.exe
2552 mssecsvc.exe
2560 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2616	mssecsvc.exe
2552	mssecsvc.exe
2560	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-67-6c-72-4a-e1\WpadDecisionTime = 9012dfdb06abda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-67-6c-72-4a-e1\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-67-6c-72-4a-e1	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\52-67-6c-72-4a-e1	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0119000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDEBB75B-19A0-40AE-B650-10C634716058}\WpadDecisionTime = 9012dfdb06abda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-67-6c-72-4a-e1\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2780 wrote to memory of 1580	2780	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1580	2780	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1580	2780	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1580	2780	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1580	2780	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1580	2780	rundll32.exe	rundll32.exe
PID 2780 wrote to memory of 1580	2780	rundll32.exe	rundll32.exe
PID 1580 wrote to memory of 2616	1580	rundll32.exe	mssecsvc.exe
PID 1580 wrote to memory of 2616	1580	rundll32.exe	mssecsvc.exe
PID 1580 wrote to memory of 2616	1580	rundll32.exe	mssecsvc.exe
PID 1580 wrote to memory of 2616	1580	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\612b79c7d1edab76db51047ccb5f85c1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\612b79c7d1edab76db51047ccb5f85c1_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2616
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2560

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
9570b5044470f6f611b4fbadf5653907

SHA1
b88a572230b25e22353242fd45b9f3693720c257

SHA256
84241ef8713eff74e07edfa1678922b22bf9faf39ff36c1bb96ce6f9b846a006

SHA512
e9e97ac7b91f9493e2257db5129a83c2774c517fb284c6ebd142864f9fa42f91f71d07aee99fb9b5c268e13f502687a0bc9e06b627a006d657b76f0c19768ffb

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
cb72f9f69e4f4535683fec1183d4005d

SHA1
f931593bc4c090d6ca2f739b64531efd69b1e4e4

SHA256
ad2e976654f81ac59aca04747e12d8975b4e2ceaae559c105ed7021e7e122ba8

SHA512
aa75c74d748561b70349e414dc28812184f842eb13a4094f18beae82dbe31699f89361e0dfefa7616460f3318c54e7ba2e6c85962601a8d161129396242f628e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads