wannacry | d95046fcae8f8b55b9a2c5af4f06f1355a7540af084ac4246ca576115f8b892b

General

Target

90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll
Size

5.0MB
MD5

90c8869e6e9d1f1b1b1f221fb032e218
SHA1

dcad9af675d7b34dab3e48d880ea9c7caed17e19
SHA256

d95046fcae8f8b55b9a2c5af4f06f1355a7540af084ac4246ca576115f8b892b
SHA512

3cd7847e617048af2e369ef1f93687ca02e60ca3aa1f874a25c3ed9f1b334bcad2cf71ccb3aef025d76dfd6c7a378b2c599a67b14641a5275cdf2df012843baf
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef09EcpcL7nEaut/8uME7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBV9EcaEau3R8yAH1plAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3186) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3068 mssecsvc.exe
2316 mssecsvc.exe
2620 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
3068	mssecsvc.exe
2316	mssecsvc.exe
2620	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\3e-be-35-c3-05-ad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecisionTime = 807f97917cb5da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecisionTime = 807f97917cb5da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadNetworkName = "Network 2"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2552 wrote to memory of 2740	2552	rundll32.exe	rundll32.exe
PID 2740 wrote to memory of 3068	2740	rundll32.exe	mssecsvc.exe
PID 2740 wrote to memory of 3068	2740	rundll32.exe	mssecsvc.exe
PID 2740 wrote to memory of 3068	2740	rundll32.exe	mssecsvc.exe
PID 2740 wrote to memory of 3068	2740	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2740

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3068

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2620

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
425027950eceb3ef8618a41d4c2c7561

SHA1
699a7ca5c7d80efe6686626e3cb0dead45c160fa

SHA256
aecbe9a152fa04a3d621917d9dbf46a00d0f48832ef72763d8a36e7d741e3f69

SHA512
67d9198eaeb7d223ea63468155df4398a52f00c8fa8a04806476e37f81a1a6b1040df5bd826c335ccb8f063834067a38cb912dc58841699207550a836c4662ac

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
0d69feba1b77be64ffe3e073ceac533a

SHA1
a24bbc7d295954433f2f2b897bc4c48a3bab698a

SHA256
0bba41a3a33d8a913dd6ef84a371661da83d724a191f7cb2fa09753f913b80df

SHA512
83e4e65cf686235020ee2bcabd6f90be81a35a8d43f90d671f22a6136b41c0b1ffcc13416d6c2a7de02362a2dd288fe3058e4e4d924544117b0c675f2dde5259

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads