wannacry | 46fb5d108b98f5d7ba3e3d9d8eb47078d5de6e4a93a2a15ba35038cd9eac7416

General

Target

a9981f085be37a7911978dadd3596379_JaffaCakes118.dll
Size

5.0MB
MD5

a9981f085be37a7911978dadd3596379
SHA1

f79c43f6032339d9c3845f3188f15010311c173e
SHA256

46fb5d108b98f5d7ba3e3d9d8eb47078d5de6e4a93a2a15ba35038cd9eac7416
SHA512

6befc04ee4562ef8757d9443b58b26eaf95e1af430cf25b3e7face5a05a40cb774565a8b3035a346bcc2a002a49b1f5dfa4bf16ef4614e351ce4f7e543d83f03
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5K3R8yAVp2:+DqPe1Cxcxk3ZAEUadeR8yc4

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1632 mssecsvc.exe
2252 mssecsvc.exe
2708 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1632	mssecsvc.exe
2252	mssecsvc.exe
2708	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\WpadDecisionTime = 204d0c5c53beda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-71-55-44-92-e4\WpadDecisionTime = 204d0c5c53beda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-71-55-44-92-e4\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-71-55-44-92-e4	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\26-71-55-44-92-e4	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0058000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-71-55-44-92-e4\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1876 wrote to memory of 1448	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1448	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1448	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1448	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1448	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1448	1876	rundll32.exe	rundll32.exe
PID 1876 wrote to memory of 1448	1876	rundll32.exe	rundll32.exe
PID 1448 wrote to memory of 1632	1448	rundll32.exe	mssecsvc.exe
PID 1448 wrote to memory of 1632	1448	rundll32.exe	mssecsvc.exe
PID 1448 wrote to memory of 1632	1448	rundll32.exe	mssecsvc.exe
PID 1448 wrote to memory of 1632	1448	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9981f085be37a7911978dadd3596379_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9981f085be37a7911978dadd3596379_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1448

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2708

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
a6cf0063c310eff7191fba13053327e3

SHA1
edc0de3f1e1e95bee18dcf2fbfe3ed1e41047c73

SHA256
ebe23a239ca7be087cf17fe324379bb2f86fa1e2051b72e945254f83e453f1bf

SHA512
86d3e472de58185a6d0c763398c067bb1ecff20f848322a58aa5024435ffcc565f6de363b770960589b9223542fcf23379e9e00f2bfb98d70255c54425fb468c

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
10257bc6a0be95ba773b16aa106767a3

SHA1
7c5a6de791c5791293b8ba9306f2cd1bd30dea8f

SHA256
342ce7cab19d9404536f07fa585da89adb3a86cb8bfedfba8fa32e60698a93e6

SHA512
eaffdfed2de4da4727975a0c365ad636f6e842f724fe29840ad7bb4380c0cc32aa7ccbcb92a68013e798750b0e58f4c748df1a5bb9722aad3c07636d49e998b7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads