wannacry | 01f93d9d2c61a9770ceebdfc3c324e6e26c4db35c8c00924e3c4beb32969164e

General

Target

772062d5fd479a0b8560699960e0201e_JaffaCakes118.dll
Size

5.0MB
MD5

772062d5fd479a0b8560699960e0201e
SHA1

097250e5e0175d55eb802fa0cda2cafc4582e77b
SHA256

01f93d9d2c61a9770ceebdfc3c324e6e26c4db35c8c00924e3c4beb32969164e
SHA512

64285582d6809f265a0136832ef71477a3aaee86e54d066fdd7a15b7234cc67b738d843918c5a14600a24e9f853a5c2ef931c7f3c87d20f4e34ad2d35c8bbf28
SSDEEP

98304:TDqPoBhz1aRxcSUDkXhvxWa9P593R8yAVp2H:TDqPe1Cxcxk+adzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3292) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2260 mssecsvc.exe
2668 mssecsvc.exe
2656 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2260	mssecsvc.exe
2668	mssecsvc.exe
2656	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E345AFA-3B2B-4AC6-BFB8-DA93A76BB292}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E345AFA-3B2B-4AC6-BFB8-DA93A76BB292}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E345AFA-3B2B-4AC6-BFB8-DA93A76BB292}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E345AFA-3B2B-4AC6-BFB8-DA93A76BB292}\f6-d6-80-27-fd-8e	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-d6-80-27-fd-8e\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-d6-80-27-fd-8e	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E345AFA-3B2B-4AC6-BFB8-DA93A76BB292}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-d6-80-27-fd-8e\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E345AFA-3B2B-4AC6-BFB8-DA93A76BB292}\WpadDecisionTime = a0386460c2afda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-d6-80-27-fd-8e\WpadDecisionTime = a0386460c2afda01	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1688 wrote to memory of 2908	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2908	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2908	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2908	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2908	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2908	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 2908	1688	rundll32.exe	rundll32.exe
PID 2908 wrote to memory of 2260	2908	rundll32.exe	mssecsvc.exe
PID 2908 wrote to memory of 2260	2908	rundll32.exe	mssecsvc.exe
PID 2908 wrote to memory of 2260	2908	rundll32.exe	mssecsvc.exe
PID 2908 wrote to memory of 2260	2908	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\772062d5fd479a0b8560699960e0201e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\772062d5fd479a0b8560699960e0201e_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2908

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2656

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
8fd7bc66f07ec0135c5c429b1ee96225

SHA1
a6ece1b324b7c3d3071254d75551118759fe684f

SHA256
78b7c7086aadafd2a6869bbd3b60141fab3d31aa8eef7801d6c0ab1c8d97ad76

SHA512
ec8e2c2fba4e77c7c8b4d3bdf99745894e0a61bb6cf17179dbb946727957f90fe5b25539d21ec9d075e75af7358d5b0596de106ea15b844e209fdf9de2f90d98

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f9a593cc170d6c24edcbeaf58dcba0ef

SHA1
382654561eefd5f2398201dd9b8697e5cc5eb2e3

SHA256
95cb0565064f2f67162eb63c8e3cfa4746112d054f7a9dcfe1599d879d625982

SHA512
5d3d188124e4cf0a8ce735df5117b51fc5ab6bf5b4c2e994f874130cd0b258d15e0078e4fe997a8ea5be44590a9912e0aa87cf2191d09de2aa9d359430f615d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads