wannacry | 1ce387f825838a4cad3a088e62c18f8b2f650f1f0f6d74d49f84608734ed28bb

General

Target

719453dfddd5f4c2f8ccd5d333803eee_JaffaCakes118.dll
Size

5.0MB
MD5

719453dfddd5f4c2f8ccd5d333803eee
SHA1

6fb503ab459f63cdf970258daa5bf1fcdc06be75
SHA256

1ce387f825838a4cad3a088e62c18f8b2f650f1f0f6d74d49f84608734ed28bb
SHA512

859e0aab06db673503b843a6ef0b217afb21bf72ecee2a3515e686a5c194934d72cf76fd48af342ea95df2fec3d98f235e3d579429c72a67e7d97dab1a11b51d
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59SF8o/VGZQ0H3Hyd:+DqPe1Cxcxk3ZAEUadHw8Bw

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3060 mssecsvc.exe
2584 mssecsvc.exe
1224 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
3060	mssecsvc.exe
2584	mssecsvc.exe
1224	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9FBB6A0C-6AE1-4B46-B8BE-282272C20089}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9FBB6A0C-6AE1-4B46-B8BE-282272C20089}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-a8-7e-be-b0-f7\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9FBB6A0C-6AE1-4B46-B8BE-282272C20089}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-a8-7e-be-b0-f7	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9FBB6A0C-6AE1-4B46-B8BE-282272C20089}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9FBB6A0C-6AE1-4B46-B8BE-282272C20089}\86-a8-7e-be-b0-f7	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-a8-7e-be-b0-f7\WpadDecisionTime = b0fc9c4388aeda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9FBB6A0C-6AE1-4B46-B8BE-282272C20089}\WpadDecisionTime = b0fc9c4388aeda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-a8-7e-be-b0-f7\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1968 wrote to memory of 1988	1968	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 1988	1968	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 1988	1968	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 1988	1968	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 1988	1968	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 1988	1968	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 1988	1968	rundll32.exe	rundll32.exe
PID 1988 wrote to memory of 3060	1988	rundll32.exe	mssecsvc.exe
PID 1988 wrote to memory of 3060	1988	rundll32.exe	mssecsvc.exe
PID 1988 wrote to memory of 3060	1988	rundll32.exe	mssecsvc.exe
PID 1988 wrote to memory of 3060	1988	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\719453dfddd5f4c2f8ccd5d333803eee_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\719453dfddd5f4c2f8ccd5d333803eee_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1988

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3060

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1224

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
61c4227fa2b98afada79c2d177957fe3

SHA1
85ecd573c5b48fc4bd166c0a3208fcc518c47fb5

SHA256
8ed906a84016479de24242bbbe081f1232e1e1650d5bdb720164f80890745d3a

SHA512
d9e844f69c045cf958cd2d147ecd2257439139912ee9a3994167bdf140baf24f5af641d1e975fdf20e1811b09620d24184acab9f97c2c5130e570ccf12f14b03

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
563b7bbfd16c42664e61560f96894f93

SHA1
f5e01461ebd8489051b4a72620d99a5c81efe39c

SHA256
eb177815b05bb94cd0374d245cd4beae3d722eaa8fbc64f6395b4c9ff881302c

SHA512
b581b6be084d77f631a48297b142fd004d67ff5a1fa55d4124ce17b9e8602d39df4543b10237ef2f6c23d108d41ab837cf3ecb5f1b413438e337397f42a83e19

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads