wannacry | 8310a6ae79b932a727b088c7310f7183df78f9be4451f21968ce04d1f320a093

General

Target

71355278822a182bc126997e58f45408_JaffaCakes118.dll
Size

5.0MB
MD5

71355278822a182bc126997e58f45408
SHA1

6a009f7b1efa74d9d245766a221a18624196792d
SHA256

8310a6ae79b932a727b088c7310f7183df78f9be4451f21968ce04d1f320a093
SHA512

1435771cb22ec7647545246a551c6fca7a2f21e931b3afc4f3cc4efc83cd1f4bb49f20782f4e914754c30556c4a85126eb29c7d46f04c643d3aca02a5b44a9b3
SSDEEP

12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DOaq1SK662Q:zbLgddQhfdmMSirYbcMNgef0lz662

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3169) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

312 mssecsvc.exe
1440 mssecsvc.exe
2644 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
312	mssecsvc.exe
1440	mssecsvc.exe
2644	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f005d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-34-3a-38-f7-ef	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-34-3a-38-f7-ef\WpadDecisionTime = b0e5153472aeda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9DAEF1C3-CE53-4BC3-918B-B2B79E5ED177}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9DAEF1C3-CE53-4BC3-918B-B2B79E5ED177}\WpadDecisionTime = b0e5153472aeda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-34-3a-38-f7-ef\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9DAEF1C3-CE53-4BC3-918B-B2B79E5ED177}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9DAEF1C3-CE53-4BC3-918B-B2B79E5ED177}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-34-3a-38-f7-ef\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9DAEF1C3-CE53-4BC3-918B-B2B79E5ED177}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9DAEF1C3-CE53-4BC3-918B-B2B79E5ED177}\76-34-3a-38-f7-ef	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1512 wrote to memory of 2280	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2280	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2280	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2280	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2280	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2280	1512	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 2280	1512	rundll32.exe	rundll32.exe
PID 2280 wrote to memory of 312	2280	rundll32.exe	mssecsvc.exe
PID 2280 wrote to memory of 312	2280	rundll32.exe	mssecsvc.exe
PID 2280 wrote to memory of 312	2280	rundll32.exe	mssecsvc.exe
PID 2280 wrote to memory of 312	2280	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71355278822a182bc126997e58f45408_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71355278822a182bc126997e58f45408_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2280

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:312

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2644

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
f25534e176ac75ef4eec66e4e797136d

SHA1
a0860596388c5444c8f7b959ee62219a689d5d46

SHA256
744181ead7b7835d852a25e0f41f97248d7aca9ecc3a9025483bf8f884e3873d

SHA512
78b399885a0729ad3b651a119491c3e1075c0ea15a0a14fbfd176c1ef43fbd9915da05b036e393674c2d93c4f426ccce89f0e55c1e62cce094926de96beb37af

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
397c62b29e228c484e4873c2fe5b1b6e

SHA1
3b0abbd50014445b2e86daec82a9df41b2b48402

SHA256
2772b7f6d3253b8208d6580b7f05cb3678d2622cd7085fea354555f11fc78ccf

SHA512
d4d3dc4f6f25c0357ff33581401ea21f611dc39c98d1c739331626f914a5c6ae9278f955e8a6f9ac0d67011ad6f33fabebda521607a53f2d300b87c316ffe205

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads