wannacry | dc4b65fc3dfd6135ec097f87aa03331fb6adb3adbdc417459c86e75521a82afd

General

Target

ac55d00336b4e116c90b0462d84f9475_JaffaCakes118.dll
Size

5.0MB
MD5

ac55d00336b4e116c90b0462d84f9475
SHA1

6b2dddbbdb47a66651b5e7698da3687065fd2aa5
SHA256

dc4b65fc3dfd6135ec097f87aa03331fb6adb3adbdc417459c86e75521a82afd
SHA512

fa8bfb34ea3599205a4726b4d7070b4f36a6152672cb619e532412dc0b99b54e525cb7c550df34a1ce566f23d944ecd1f6cc22ef87c1dee13aa9f94709979a0f
SSDEEP

12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D:SbLgddQhfdmMSirYbcMNgef0

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2666) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
852	mssecsvc.exe
2768	mssecsvc.exe
2696	tasksche.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecisionTime = 80ca6fb8bfbeda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecisionTime = 80ca6fb8bfbeda01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\ee-1a-fd-5a-f5-aa	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2012	2056	rundll32.exe	28
PID 2056 wrote to memory of 2012	2056	rundll32.exe	28
PID 2056 wrote to memory of 2012	2056	rundll32.exe	28
PID 2056 wrote to memory of 2012	2056	rundll32.exe	28
PID 2056 wrote to memory of 2012	2056	rundll32.exe	28
PID 2056 wrote to memory of 2012	2056	rundll32.exe	28
PID 2056 wrote to memory of 2012	2056	rundll32.exe	28
PID 2012 wrote to memory of 852	2012	rundll32.exe	29
PID 2012 wrote to memory of 852	2012	rundll32.exe	29
PID 2012 wrote to memory of 852	2012	rundll32.exe	29
PID 2012 wrote to memory of 852	2012	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac55d00336b4e116c90b0462d84f9475_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac55d00336b4e116c90b0462d84f9475_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:852
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2696

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
7241a4c80c5cd50e327a03c4a2fd1414

SHA1
0062a1fdabbe1770622f0f8b344c12cac5030094

SHA256
44f6816a11c2dec8d4e1df66737f999cf8202b7124732f6d5af10233bfbb9263

SHA512
e1859625862a9c2b7fcb43215dfe3141c37902b05421ce49750bbc3620a02621573f453058afbecd5b3aa9d4e8d9a05bff8583fc349f0e7dacafd1b98ac14eff

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
43e98b7d1c7bc597e39c4d303f22b019

SHA1
693e23e5c13661ea64a117076b05fae9f7d8f57e

SHA256
ee055357229be369676a1d7443af914c2f536590d2e34130f9c133799ff21421

SHA512
49ee653d96f0ec3e0e5c651d3ff5ad628f2bfb81e274b3f3dedfe0537ba9dee404d5bc197745c93e208ef0f2b8e6a392e59bb2042b789e1e8021d9657a6d37c4

Download Submit

Analysis

Sharing