wannacry | abd1c51660836bbaa7e15bff5153aff2b00fe6ef34c5c27f258d8aafcad39aa4

General

Target

803b64a54c131c3ca63aeb25bcb919ff_JaffaCakes118.dll
Size

5.0MB
MD5

803b64a54c131c3ca63aeb25bcb919ff
SHA1

1f314558297d78b4cfe8f35964f3b604f2a310ad
SHA256

abd1c51660836bbaa7e15bff5153aff2b00fe6ef34c5c27f258d8aafcad39aa4
SHA512

277a2ae69715784c2c5760ee6562043a92a51bd2459cff889c6fed3acec802a8083c56d178e7567c4fc95b2d63caed49b1e79cb374f6ceb88a5f52173bc19a40
SSDEEP

49152:SnAQqMSPbcBVQejcYp/P/G8txAMEcaEau3R8yAH1plAH:+DqPoBhh/P/Fx593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2504 mssecsvc.exe
2536 mssecsvc.exe
2440 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2504	mssecsvc.exe
2536	mssecsvc.exe
2440	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\5a-7a-5e-ac-ac-3b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecisionTime = 40fc6b16a9b1da01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecisionTime = 40fc6b16a9b1da01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadNetworkName = "Network 3"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3036 wrote to memory of 2956	3036	rundll32.exe	rundll32.exe
PID 3036 wrote to memory of 2956	3036	rundll32.exe	rundll32.exe
PID 3036 wrote to memory of 2956	3036	rundll32.exe	rundll32.exe
PID 3036 wrote to memory of 2956	3036	rundll32.exe	rundll32.exe
PID 3036 wrote to memory of 2956	3036	rundll32.exe	rundll32.exe
PID 3036 wrote to memory of 2956	3036	rundll32.exe	rundll32.exe
PID 3036 wrote to memory of 2956	3036	rundll32.exe	rundll32.exe
PID 2956 wrote to memory of 2504	2956	rundll32.exe	mssecsvc.exe
PID 2956 wrote to memory of 2504	2956	rundll32.exe	mssecsvc.exe
PID 2956 wrote to memory of 2504	2956	rundll32.exe	mssecsvc.exe
PID 2956 wrote to memory of 2504	2956	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\803b64a54c131c3ca63aeb25bcb919ff_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\803b64a54c131c3ca63aeb25bcb919ff_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2956

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2504

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2440

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5e93731697f153c5339e084de62f3ecc

SHA1
25c779344517425f6945e7812484b12110b5e1f1

SHA256
3019d601296f556bd8152ca2e28cf858f4052bd9a4e18c01021ce5722b4af4ad

SHA512
e52463c99b10b4bc98f425f4c51e68f53e0521617a052a914b898cb3a9578df50211fdf96de2d8659e35bf8ba8bbaf85cc745760c50c6e199483254dfb20b25b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
5c14d207e5e205af2dd897d71bc6f593

SHA1
ca98c43f9b4dcd5c00ab39ab2e9c5089c26e9328

SHA256
6e2b6f305bfb28694bd360ae2644d71c4fbdf5ab0613572f1675669ef9895f8e

SHA512
4e490e4437ceefeabc4009e7345372024b603ec96894887b2ce4ef02038aef9171f8fed362180f93f670aaa363d54ec216504f5be17871abac92d316898910a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads