wannacry | 61161efca8ce39d4b1ea519789159985b506ea9c6f75d156fafc18acaad84dc6

General

Target

884724fd8436ea7e6f44ff3e08b9de52_JaffaCakes118.dll
Size

5.0MB
MD5

884724fd8436ea7e6f44ff3e08b9de52
SHA1

086b85280b0b5dc9c2da2c453e23412ab3d0b3de
SHA256

61161efca8ce39d4b1ea519789159985b506ea9c6f75d156fafc18acaad84dc6
SHA512

8512a1f0e15ae0ddb42f3d413993101400fb674bcf9da36440f4a1ff8e62f560c4af79c61d889e8a2ef045910d1dee5ba0140c9d9939e21fa3a3ca4a08604122
SSDEEP

49152:SnAQqMSPbcBV7NRx+TSqTdX1HkQo6SAA:+DqPoBvRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2884 mssecsvc.exe
2620 mssecsvc.exe
2664 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2884	mssecsvc.exe
2620	mssecsvc.exe
2664	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94DF80E4-0488-4721-A1B6-02772A79C990}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-dc-20-01-45-ff\WpadDecisionTime = 904418ac9ab3da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-dc-20-01-45-ff\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94DF80E4-0488-4721-A1B6-02772A79C990}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94DF80E4-0488-4721-A1B6-02772A79C990}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-dc-20-01-45-ff	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-dc-20-01-45-ff\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94DF80E4-0488-4721-A1B6-02772A79C990}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94DF80E4-0488-4721-A1B6-02772A79C990}\WpadDecisionTime = 904418ac9ab3da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94DF80E4-0488-4721-A1B6-02772A79C990}\4e-dc-20-01-45-ff	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2324 wrote to memory of 2660	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2660	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2660	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2660	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2660	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2660	2324	rundll32.exe	rundll32.exe
PID 2324 wrote to memory of 2660	2324	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2884	2660	rundll32.exe	mssecsvc.exe
PID 2660 wrote to memory of 2884	2660	rundll32.exe	mssecsvc.exe
PID 2660 wrote to memory of 2884	2660	rundll32.exe	mssecsvc.exe
PID 2660 wrote to memory of 2884	2660	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\884724fd8436ea7e6f44ff3e08b9de52_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\884724fd8436ea7e6f44ff3e08b9de52_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2660

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2884

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2664

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
259f8ef97d751a6811bb3c284d5308ad

SHA1
735ac50c25a22746b997bd4d609aaf6b753f597c

SHA256
fd42556208d3eabd5a0e34622263c0a41559eb2622a28fb4ac488866cfc6bfaa

SHA512
ac0f3730d6b9e9d0d94b04a05caed146fd60b17a803237ec8bedcc9484b9569428e6ef44cf443184a7abeaf577f3fab702ab89323fdcfad48c1bc24a1171e1ea

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
5e067e52693fdc7609f729305b3c9f05

SHA1
c145b215e9c52992ebe5d7a74f102a91723928ff

SHA256
23152dcc5d4d8f1638301c3baa843d67555740174486b9b92dc1ecdc316141ba

SHA512
66e67959c1a6c3fcdbf50a7e6045e1e525ba78495ea13321278c82fbda17d092f8683f17462da5add279273efad12b96d7aeedcf89368d5296db9fa651995d7b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads