wannacry | c93726fbc82f2bbc7a43dd4781f4663b94d0e68a73142001210853f43506d8ec

General

Target

770c0416bf0a1f935a095a497d5caa38_JaffaCakes118.dll
Size

5.0MB
MD5

770c0416bf0a1f935a095a497d5caa38
SHA1

f85bf851be59f0d2c9981edb3ca486f2072c5f04
SHA256

c93726fbc82f2bbc7a43dd4781f4663b94d0e68a73142001210853f43506d8ec
SHA512

bb6a44eff9122e88dd3e9dba5a2fe256bd255e142697346af16067a77c6abeaa42fa7e77bce4334c28e380a9b3996c3030044e446fde826c38563f80b99fa937
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59Uc/:+DqPe1Cxcxk3ZAEUadv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2004 mssecsvc.exe
2304 mssecsvc.exe
2624 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2004	mssecsvc.exe
2304	mssecsvc.exe
2624	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecisionTime = f0cbe63abeafda01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\8e-65-03-b4-91-1c	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecisionTime = f0cbe63abeafda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3016 wrote to memory of 1968	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 1968	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 1968	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 1968	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 1968	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 1968	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 1968	3016	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 2004	1968	rundll32.exe	mssecsvc.exe
PID 1968 wrote to memory of 2004	1968	rundll32.exe	mssecsvc.exe
PID 1968 wrote to memory of 2004	1968	rundll32.exe	mssecsvc.exe
PID 1968 wrote to memory of 2004	1968	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\770c0416bf0a1f935a095a497d5caa38_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\770c0416bf0a1f935a095a497d5caa38_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2004

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2624

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d89bdc253276f1823c37dfaf382e54a1

SHA1
92eb670566efc212ed024c30ea2f10e1da13a66e

SHA256
770b42a01d23f49f5551bd107a9540f48531da51ec8955db65578b50993ee897

SHA512
36bae9442b4d6aabb97ed75d58ed3c8bcfdc5476626d172a6f9955a8833d0cb7d9f6fbd6fda3f72b28da5c9aa8995c4c2d05ba0cc710ccd9b5745a8265911e42

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
51131f50fafa06fe593cbdcbd01146ba

SHA1
ed24d13f602d02b4826ee03d44d0a46ce631aeb9

SHA256
819c54cd64cb359d09cc07b84970e255818244106a2f735b919e4b8121cfcbab

SHA512
e76ad9eb3790349ac076feda04536ab8b2733a907d51dfd33f84b44b95469e4969bbd6c75eacb80f63cd4b4907a229d3074dc6cac381dd6e3ee290e689379cae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads