wannacry | 4434d6c1a3d738888f8c7cbe2e6a330f29e72a7968ed396943a6cb06c89c6dbf

General

Target

5c7fcd7038bd79f135f1411b8e9a40cf_JaffaCakes118.dll
Size

5.0MB
MD5

5c7fcd7038bd79f135f1411b8e9a40cf
SHA1

02c7a57b9e3725e4d0da711657b433f35dda7ee7
SHA256

4434d6c1a3d738888f8c7cbe2e6a330f29e72a7968ed396943a6cb06c89c6dbf
SHA512

f69be4df427061f8e3c10252724d99ca6c868c6560a67657f69aa5dcfee09e15b2479fff5955e10e658af05390d2d74d0a20ad6d7cfba283df8a5373fc0cd8cf
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQRkRiwt/Zx+:+DqPoBhz1aRxcSUDkqkkGZx

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1576 mssecsvc.exe
2600 mssecsvc.exe
2740 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1576	mssecsvc.exe
2600	mssecsvc.exe
2740	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1DF1378-E5A0-4B47-B6DE-A21A46388C33}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0021000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1DF1378-E5A0-4B47-B6DE-A21A46388C33}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1DF1378-E5A0-4B47-B6DE-A21A46388C33}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1DF1378-E5A0-4B47-B6DE-A21A46388C33}\56-00-06-6b-5e-62	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-00-06-6b-5e-62\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-00-06-6b-5e-62\WpadDecisionTime = 10a3319455aada01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1DF1378-E5A0-4B47-B6DE-A21A46388C33}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1DF1378-E5A0-4B47-B6DE-A21A46388C33}\WpadDecisionTime = 10a3319455aada01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-00-06-6b-5e-62	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-00-06-6b-5e-62\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2036 wrote to memory of 2792	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2792	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2792	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2792	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2792	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2792	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2792	2036	rundll32.exe	rundll32.exe
PID 2792 wrote to memory of 1576	2792	rundll32.exe	mssecsvc.exe
PID 2792 wrote to memory of 1576	2792	rundll32.exe	mssecsvc.exe
PID 2792 wrote to memory of 1576	2792	rundll32.exe	mssecsvc.exe
PID 2792 wrote to memory of 1576	2792	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c7fcd7038bd79f135f1411b8e9a40cf_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c7fcd7038bd79f135f1411b8e9a40cf_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2792

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1576

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2740

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0a102100de33199f2a9741518203b362

SHA1
7716a38ba8701dbca6e140bbf751461ff0ba343d

SHA256
4714ab6107da11f3c0f59f556edf366a41c3876e586bcddb88d7d4694331477d

SHA512
9a37cb21b75ceaafe10640b6fa30775bd3e06f0470aba1c2c45e719ce52f5ac67e6c78f3a39302f27cc1e96b232a5d2169b66a3c707ad9d96a339a2986f5cce7

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f4afaac13ccdd03288cbd15c95eac020

SHA1
680e0171c71c9654d53790217d3b2598810a1f91

SHA256
dd5a0a63b7d376c4b8b5925b92ddb61a249060a4f26966e5cf9b172936074503

SHA512
3112c52995deea46401301c67898f3d068fa5ad0aa0b96b75a04340aba09b340e43d23ddec9fcff13645adb80838f956f98feaeb0a97f152f2590972de17c6fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads