wannacry | e378b6b101c70ccb81701996c0e380fdb8074dd1407ad675bb07d412a3621f15

General

Target

68040c40015e7357bd0db761ddf9d28c_JaffaCakes118.dll
Size

5.0MB
MD5

68040c40015e7357bd0db761ddf9d28c
SHA1

b7bc45c9ef8aba2b877bea85b9da645eebde56d7
SHA256

e378b6b101c70ccb81701996c0e380fdb8074dd1407ad675bb07d412a3621f15
SHA512

98434b6b877363e7046993fa4339e450d4d1c6651ec73be4434ead7fb5c99f590ef727d596459f0212bddc3e8527479d4fee1e4ed594064c4b7331f988969cf4
SSDEEP

49152:SnAQqMSPbcBVthnvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBXhvxWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3339) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1196 mssecsvc.exe
2644 mssecsvc.exe
1268 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1196	mssecsvc.exe
2644	mssecsvc.exe
1268	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A01742AB-C193-40E0-8E18-E8FFABDC3C98}\WpadDecisionTime = e065b1366cacda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-a4-8d-e0-8f-8d\WpadDecisionTime = e065b1366cacda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A01742AB-C193-40E0-8E18-E8FFABDC3C98}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A01742AB-C193-40E0-8E18-E8FFABDC3C98}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A01742AB-C193-40E0-8E18-E8FFABDC3C98}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A01742AB-C193-40E0-8E18-E8FFABDC3C98}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-a4-8d-e0-8f-8d	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A01742AB-C193-40E0-8E18-E8FFABDC3C98}\2a-a4-8d-e0-8f-8d	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-a4-8d-e0-8f-8d\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-a4-8d-e0-8f-8d\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0027000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1736 wrote to memory of 2472	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 2472	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 2472	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 2472	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 2472	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 2472	1736	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 2472	1736	rundll32.exe	rundll32.exe
PID 2472 wrote to memory of 1196	2472	rundll32.exe	mssecsvc.exe
PID 2472 wrote to memory of 1196	2472	rundll32.exe	mssecsvc.exe
PID 2472 wrote to memory of 1196	2472	rundll32.exe	mssecsvc.exe
PID 2472 wrote to memory of 1196	2472	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68040c40015e7357bd0db761ddf9d28c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\68040c40015e7357bd0db761ddf9d28c_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1196
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1268

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
44b3a1156d668a0d3e62540ec144b1ea

SHA1
73c1f8d547c6994bda024176fbd07ec8f33bb76f

SHA256
a8e92f81d46cdd72411282a0573f87848676d7116846e2ee6ebebd2a7ee9da87

SHA512
a99a698b054c4eba7840a7ce23597dc6b8868569d44104828a583cd28bdc74d1876b766c7648a6411d299d862fea727aeb4f9ab364a5b5a1a512b779daa279ce

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7d1a1e425c3a214a649013d89e82d6b4

SHA1
b695fd52830c6124b1799d0ba0d256fbd786a2f7

SHA256
3743d8bb3d584eb76a7e74dcc199b2674a4dc77a72c9236e1f3ebc5eaf51c7d6

SHA512
ab939c536bf339a70dab35178fdb90919c98bc0e3bf7982380390a6b8bd769e120dff9406db781a852b9da1bcc998bfd6df5f46bb5e8b91621b87a69d436f79f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads