wannacry | 662d230ef492f0aa38110fe2f2af722f14aba973e52bac3b546cc41b1d430809

General

Target

828a58a6beb202cc90a00c2fc6fa628e_JaffaCakes118.dll
Size

5.0MB
MD5

828a58a6beb202cc90a00c2fc6fa628e
SHA1

3a0b356a400a83a492d9a745ce3ba87df6c74baf
SHA256

662d230ef492f0aa38110fe2f2af722f14aba973e52bac3b546cc41b1d430809
SHA512

37ed5ba3efe05b8c6bf11a0c3d72b17de4cd6a676bc13e96613ec39babb4ad2afab64a395196dbdefb51aede40f7fc547af700ff08f7fd347e22fa1a22bc4471
SSDEEP

49152:JnAQqMSPbcBVQnNRx+TSqTdX1HkQo6SAARdhnvxJM0H9:dDqPoB0RxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3322) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1848 mssecsvc.exe
2496 mssecsvc.exe
2508 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1848	mssecsvc.exe
2496	mssecsvc.exe
2508	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\8a-f5-ed-40-47-e4	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-f5-ed-40-47-e4\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecisionTime = 70f8057e2ab2da01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-f5-ed-40-47-e4	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-f5-ed-40-47-e4\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-f5-ed-40-47-e4\WpadDecisionTime = 70f8057e2ab2da01	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1636 wrote to memory of 2188	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2188	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2188	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2188	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2188	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2188	1636	rundll32.exe	rundll32.exe
PID 1636 wrote to memory of 2188	1636	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 1848	2188	rundll32.exe	mssecsvc.exe
PID 2188 wrote to memory of 1848	2188	rundll32.exe	mssecsvc.exe
PID 2188 wrote to memory of 1848	2188	rundll32.exe	mssecsvc.exe
PID 2188 wrote to memory of 1848	2188	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\828a58a6beb202cc90a00c2fc6fa628e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\828a58a6beb202cc90a00c2fc6fa628e_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2188

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1848

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2508

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
54fc11502709bc989596b5f55af5e571

SHA1
f01953d6c85c5a4c8f4510193f817b179fdaa9f8

SHA256
29383b5be37d08fb96b00e34f95029c0722fad4baf84e48cf7b199970818f223

SHA512
d2d9b9970e0b75844e35fc76f585a8ddb90750c86c8458e30a5690fefe8a46461641e46471344975cdddfedd164846a5bdc2df2bc153695ba96640bba223fb00

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b4756900de6f8253c5c3c1c0cd183834

SHA1
46bbd297244adc41fdb5e8e33523a8c7afdaa8cd

SHA256
cf3b34035662ffdf4069f5ccd04cfcef1125ea00b4bb985ef57be987294bca8e

SHA512
d018ba0f3b43d5f3cb6016f5d8819f1906ea0324f55778ad877d6cd3b665688584596d3388f2cae926899ac0d38b3db8767d5ce31daab25a9d1b7d243118250e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads