wannacry | 1fe8c9aa6cae51464d6a30e49758c0a7bdef1766b5e7f0fbc03468fc5018583c

General

Target

a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll
Size

5.0MB
MD5

a7ad39749481cbe97852995ca17dc79f
SHA1

71be9aab613b8323377213ab2d0f1b27eb3b7777
SHA256

1fe8c9aa6cae51464d6a30e49758c0a7bdef1766b5e7f0fbc03468fc5018583c
SHA512

5f52ebc4eef192b98a665992fd8692857c97df63962396614c9bce1852fe8e8cb1936c3af1404acd92462d1d28c2860ea4e395f6152ed4805220fb3b0257b150
SSDEEP

49152:SnAQqMSPbcBVQej/1INRdSqTdX1HkQo6SAARdhgFEnAEYc8c6Ri5WN6njF2nAEYH:+DqPoBhz1aRdSUDk36SAEdhn

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3331) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3020 mssecsvc.exe
2540 mssecsvc.exe
2672 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
3020	mssecsvc.exe
2540	mssecsvc.exe
2672	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00eb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-3a-ff-9b-33-9c\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\WpadDecisionTime = 1057e78affbdda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-3a-ff-9b-33-9c\WpadDecisionTime = 1057e78affbdda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-3a-ff-9b-33-9c\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-3a-ff-9b-33-9c	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\de-3a-ff-9b-33-9c	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2944 wrote to memory of 1652	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 1652	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 1652	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 1652	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 1652	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 1652	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 1652	2944	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 3020	1652	rundll32.exe	mssecsvc.exe
PID 1652 wrote to memory of 3020	1652	rundll32.exe	mssecsvc.exe
PID 1652 wrote to memory of 3020	1652	rundll32.exe	mssecsvc.exe
PID 1652 wrote to memory of 3020	1652	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3020

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2672

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
a25bece31e4c4348c705d61b775cb557

SHA1
8287bbd0daffbcfeb3c651f949dc665b20f47fc9

SHA256
fe8c7e7fe819bf178af0977c36932acaf9b2af904accfd6eff67d436ac4e57c5

SHA512
57d812790a778f99b95df24bf303c980bb91b56be5916302e879a82158fb7158367c0167b9a9198fd78dc1a57e1bac1692e236b89c8ab6c46720b698e84bb171

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b8c04e629eb09b7ec4ddc4bb4fa4d4ff

SHA1
3e71fa5abc40f30e8eea5a3af92e3eec17df9376

SHA256
3802abe3243ffcbfbb8dba64faca34b985b0d07981eb56cbd31b6884ea46c0bc

SHA512
11b5e1fb2abecef2e5b54871c0549e710c9509c264cfd3423de5ef727cbd67a2e9bf96e9c5935ff2a0ee2461dafd2b77e4c55365dca9715d9edf21f6e86ba326

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads