wannacry | aeb3230d728a899a2db6d4323641664ff724a0c6dd28c2a4083f73295deb5510

General

Target

7cd62314699e88eb5f1fad16e4054ad4_JaffaCakes118.dll
Size

5.0MB
MD5

7cd62314699e88eb5f1fad16e4054ad4
SHA1

179d952b83b96ff6647347cd840769cef070a3cf
SHA256

aeb3230d728a899a2db6d4323641664ff724a0c6dd28c2a4083f73295deb5510
SHA512

13a360bb21177860526b489dd375ba80acf4f0ce48f31249bc89cce48c36339127ff1113fec576824833fe5b046e838e5aa36c47d51a98614972941e2248b88b
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKkYyqGR:SnAQqMSPbcBVQej/1IN3

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3217) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1632 mssecsvc.exe
2112 mssecsvc.exe
2568 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1632	mssecsvc.exe
2112	mssecsvc.exe
2568	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}\c6-41-54-19-fa-1c	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDecisionTime = 50b55441fab0da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-41-54-19-fa-1c\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC485B8B-F168-49B2-94FA-9609D2448111}\WpadDecisionTime = 50b55441fab0da01	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1684 wrote to memory of 2368	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2368	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2368	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2368	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2368	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2368	1684	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2368	1684	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 1632	2368	rundll32.exe	mssecsvc.exe
PID 2368 wrote to memory of 1632	2368	rundll32.exe	mssecsvc.exe
PID 2368 wrote to memory of 1632	2368	rundll32.exe	mssecsvc.exe
PID 2368 wrote to memory of 1632	2368	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7cd62314699e88eb5f1fad16e4054ad4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7cd62314699e88eb5f1fad16e4054ad4_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1632
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2568

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
aeb574c1995ae12c05fc8ad96dc6e22d

SHA1
936d2f9d6bf1c075db7f636405b03e5bb2342c5d

SHA256
e5f4b9498420f8e267212dae22131f03fb47bed487ac94b70a3fd5b5c651aeb3

SHA512
5977f88e906368c9442af9d5085ee68d56cb6730db5e93e6879616d40cb6cacc86ac2fd5b4df7ef6d4bb210da3c96d976722dac58154b188e99a6dd827e787f4

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
24070bdaf7d008f7f53d917ca9c0b42c

SHA1
a9676a02a2a38e785e96f1dac4a9d6ad74a01d05

SHA256
b421d86ffa86c29ad9851c47eb4aeac1baba8fe9254fd9896fa8ad49049df046

SHA512
625e18843a4c77b88ac0f8ae9ab4747af93eb455e377f2200c68415bdb38a18efd4195f1b540bd3472b75a0a9e63f19c026983c0da6152d241eb5bb3146382b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads