wannacry | 22f08fa4efaf2bd2d87ca337d1b5641519725640f40d190fdcd3875e3b95e999

General

Target

75e24aea15162245448361892ea979d7_JaffaCakes118.dll
Size

5.0MB
MD5

75e24aea15162245448361892ea979d7
SHA1

eb45e80dab5f0a686701cb97ea3bbece94f467db
SHA256

22f08fa4efaf2bd2d87ca337d1b5641519725640f40d190fdcd3875e3b95e999
SHA512

1bedbf28adb48e5fdadf5d8635c61462edfd716ba9a9b6ce1227daa280d365ab48510024557f54282891b2e8523f600c5a1fead6cbf78e3269e97e865b337a1c
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:TDqPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3282) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2696 mssecsvc.exe
2680 mssecsvc.exe
2752 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2696	mssecsvc.exe
2680	mssecsvc.exe
2752	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7665CDDC-8190-44D6-AAE2-E8BD16642D8C}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7665CDDC-8190-44D6-AAE2-E8BD16642D8C}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7665CDDC-8190-44D6-AAE2-E8BD16642D8C}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7665CDDC-8190-44D6-AAE2-E8BD16642D8C}\WpadDecisionTime = 30a8e6ef7eafda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7665CDDC-8190-44D6-AAE2-E8BD16642D8C}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7665CDDC-8190-44D6-AAE2-E8BD16642D8C}\7e-cd-4d-6f-45-6b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-cd-4d-6f-45-6b\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-cd-4d-6f-45-6b\WpadDecisionTime = 30a8e6ef7eafda01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0088000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-cd-4d-6f-45-6b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-cd-4d-6f-45-6b\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1524 wrote to memory of 2024	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2024	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2024	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2024	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2024	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2024	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2024	1524	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2696	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 2696	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 2696	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 2696	2024	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75e24aea15162245448361892ea979d7_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\75e24aea15162245448361892ea979d7_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2696
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2752

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
4dcd1a0e69737b7dabfc674939128b3b

SHA1
6b52a9657275749f0bb9aaff087d9e21775f6852

SHA256
a5ba3219efbbf382fb4fc972549afbd7d721c4b49b4af92b8a767ec23de26a38

SHA512
bc4a882c520e5b2aa9c0a91b917e9aa13a1a58e9667ba37030428df0296d3e863e431d8241fc59079b8395e748769e366a68fbada74c1107495ddacb8a9dcbfc

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
52b3e549e037de9a3109704ccd4aaa72

SHA1
f382881b2e454977b4fd4686834866350ef66b94

SHA256
d6361700e59b6339ed38270a4970b512f08f1f9dc8819e03d5b7bded7f1d5714

SHA512
7a232b012b314124a743dd8569a5a5970b4d6bfc0445fd12d74bc203135bd8a8d5f5daf0ce30602825da3a87e77e57192309eefcf96fda6a7439ae6806eba948

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads