wannacry | fb5317e76d0f234aede9f26f60f40a278c241d27019518df2ab8909ead764788

General

Target

abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll
Size

5.0MB
MD5

abebc86c59b2aa2143a4aaf98ea34630
SHA1

385b79ff4bfe4dd43e06c287d11d1a067fbb5eb7
SHA256

fb5317e76d0f234aede9f26f60f40a278c241d27019518df2ab8909ead764788
SHA512

1395898edcc6ec8c97934711886cda105b5f8c4b5e1dc9ecf36ac8f9cf268882bad58945b369cc359557bc5b4ebba4e65c705c94f68f38ce9ab42f1403bf6545
SSDEEP

49152:znAQqMSPbcBVQej/1IwFvElh6h0mZQOy2DLscxez2Kr7GDVENG+VN+kszxR:TDqPoBhz1pv86h0mhEcwz

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2661) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2216 mssecsvc.exe
2788 mssecsvc.exe
3008 tasksche.exe

pid	process
2216	mssecsvc.exe
2788	mssecsvc.exe
3008	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\aa-f4-2a-2f-13-d5	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-f4-2a-2f-13-d5\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\WpadDecisionTime = 10291debafbeda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-f4-2a-2f-13-d5\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-f4-2a-2f-13-d5\WpadDecisionTime = 10291debafbeda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-f4-2a-2f-13-d5	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2168 wrote to memory of 2432	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2432	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2432	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2432	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2432	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2432	2168	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 2432	2168	rundll32.exe	rundll32.exe
PID 2432 wrote to memory of 2216	2432	rundll32.exe	mssecsvc.exe
PID 2432 wrote to memory of 2216	2432	rundll32.exe	mssecsvc.exe
PID 2432 wrote to memory of 2216	2432	rundll32.exe	mssecsvc.exe
PID 2432 wrote to memory of 2216	2432	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2216

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3008

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
093e8a1d86864424d3cdd1ebede4cc82

SHA1
07b534af48de27c84e046229cc25979fdbcaa53c

SHA256
7cd796d59db7e7ac878ad3335522104e1422e6fc721b2f1c327007578df01502

SHA512
df230b18fa382f8d419008ba2483fad3c08f910c0227925fef35d4d9a46ceeebe410d332326d0f2364b020dcb8de8253a9d2a9c6223e147d557369d1fa6eddf2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b4f7243af03b1dd769ff9240ac5efa9e

SHA1
4c33f4480a4ca13c434fe04d9f5a37cfb2691c37

SHA256
e871c13560d924fe7adceb03e49b233127c970a4855fa607913778581fbde45e

SHA512
c49ceddf726d6eefdb21573ccb5895089b0f28d1f411272bff5d86cb64b70d7535c9bf561e127c7d5a260adb482a33c26ee85d55f18938c2c43b3675fa725d6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads