wannacry | 4ed2422034a1b74cb728920571ae0fe52109863368be4de517263f74a21f5d8b

General

Target

5c2cb2ac661a725bde2b353f2406838c_JaffaCakes118.dll
Size

5.0MB
MD5

5c2cb2ac661a725bde2b353f2406838c
SHA1

98379ddd309db80a3486affda219f674a4f1c539
SHA256

4ed2422034a1b74cb728920571ae0fe52109863368be4de517263f74a21f5d8b
SHA512

19f0ecbdbaed1f12f0254462dfdf28ffa8e12173de86cd2a01dc6b6da99a144ef734a103248e58f53df7837d5275f939225c09923b3bcf4bd7a490dcd3aa0214
SSDEEP

49152:znAQqMSPbcBVQpEj/1INRx+TSqTdX1HkQo6SAA:TDqPoBlz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3312) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1848 mssecsvc.exe
2128 mssecsvc.exe
2992 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1848	mssecsvc.exe
2128	mssecsvc.exe
2992	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\WpadDecisionTime = 0064b52049aada01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-5e-aa-1d-91-fd\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0096000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-5e-aa-1d-91-fd	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\66-5e-aa-1d-91-fd	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-5e-aa-1d-91-fd\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-5e-aa-1d-91-fd\WpadDecisionTime = 0064b52049aada01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2840 wrote to memory of 2260	2840	rundll32.exe	rundll32.exe
PID 2840 wrote to memory of 2260	2840	rundll32.exe	rundll32.exe
PID 2840 wrote to memory of 2260	2840	rundll32.exe	rundll32.exe
PID 2840 wrote to memory of 2260	2840	rundll32.exe	rundll32.exe
PID 2840 wrote to memory of 2260	2840	rundll32.exe	rundll32.exe
PID 2840 wrote to memory of 2260	2840	rundll32.exe	rundll32.exe
PID 2840 wrote to memory of 2260	2840	rundll32.exe	rundll32.exe
PID 2260 wrote to memory of 1848	2260	rundll32.exe	mssecsvc.exe
PID 2260 wrote to memory of 1848	2260	rundll32.exe	mssecsvc.exe
PID 2260 wrote to memory of 1848	2260	rundll32.exe	mssecsvc.exe
PID 2260 wrote to memory of 1848	2260	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c2cb2ac661a725bde2b353f2406838c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c2cb2ac661a725bde2b353f2406838c_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2260

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1848

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2992

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
915f59c8e91eb616c221297924124d75

SHA1
f58808aada2bf6b8f46f75c40ae75b186b43ab68

SHA256
69e1de2bad3240b793611288b643c943b1cf739cce9a7606608b081e95d9cc49

SHA512
621ed69fb01a721ee16187c14216ea9bce4130a62aee9ecae86e7c38ec683824bca8995e311dca86048fdb72f4a8ebed23dc5bc8e786681fe368877bc80c3683

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
049324889108aa745285a14388c042aa

SHA1
37d16374cd1832e843627894f958f1907b17dc98

SHA256
b9d86611783d6d5312869a3ebe37abe645a64edb744b25a94b353b1024e9ef0a

SHA512
6b3dbf9551ebc874a51e623774626ab40241b9264b1b328e3fa00c9107dd0914d9127a7218eb8a051dd072206636e708def70245b462a0cdaad50ed64534b00a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads