wannacry | 3318cd377e99133380674c6fcb5f845d04a7c3c9698b0a10eed5c50fdff13b25

General

Target

af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll
Size

5.0MB
MD5

af15853ba75f038f0ec9b256c953db26
SHA1

0e6454be8f386a253ce50350f7e592d6e37f485a
SHA256

3318cd377e99133380674c6fcb5f845d04a7c3c9698b0a10eed5c50fdff13b25
SHA512

6eae530eda00894c7c04a22ccbfaadcf915a4f0b84991c42c90d24c2f5f898f0e8d553895485802ecf45385cfa61b2562c066d8bda28df14bb6539746e27d923
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8:TDqPe1Cxcxk3ZAEUadzR8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3062) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2196 mssecsvc.exe
2384 mssecsvc.exe
2632 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2196	mssecsvc.exe
2384	mssecsvc.exe
2632	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-a7-bb-0a-8c-28\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-a7-bb-0a-8c-28	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-a7-bb-0a-8c-28\WpadDecisionTime = f081a94c38bfda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-a7-bb-0a-8c-28\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{952085C6-3B3F-45AD-89B3-E2ED9AF60DB9}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{952085C6-3B3F-45AD-89B3-E2ED9AF60DB9}\WpadDecisionTime = f081a94c38bfda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{952085C6-3B3F-45AD-89B3-E2ED9AF60DB9}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{952085C6-3B3F-45AD-89B3-E2ED9AF60DB9}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0041000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{952085C6-3B3F-45AD-89B3-E2ED9AF60DB9}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{952085C6-3B3F-45AD-89B3-E2ED9AF60DB9}\86-a7-bb-0a-8c-28	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2220 wrote to memory of 2352	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2352	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2352	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2352	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2352	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2352	2220	rundll32.exe	rundll32.exe
PID 2220 wrote to memory of 2352	2220	rundll32.exe	rundll32.exe
PID 2352 wrote to memory of 2196	2352	rundll32.exe	mssecsvc.exe
PID 2352 wrote to memory of 2196	2352	rundll32.exe	mssecsvc.exe
PID 2352 wrote to memory of 2196	2352	rundll32.exe	mssecsvc.exe
PID 2352 wrote to memory of 2196	2352	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2352

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2196

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2632

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
38eb23176b98ab5b2e3f0889b07a4549

SHA1
768d48eda8354e73a5144ba04fafc4eabc9b9109

SHA256
caab28bd06cbf419db7ab2d9841b222d1507b8f446c2d86169e1b45e460d44d1

SHA512
eacf34d469320e411143b419e7e16c237e3eb2da17be2185f1757f9ecf649ae246b835c2a92dbd775bc31b1e81740d7a65c815d32bfc4fe9da6f3f919dc403b0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
16a42dab43ceee83448d66af017f813f

SHA1
cee73a8cf689f0d2f3a4930947f15a39e55803f0

SHA256
3e41be7f4946a6c5c858fa62b331a84f8a54c5fb8d42b412a6ccbdd3851015ba

SHA512
95bae8295680cb4c2c60038da8211d1ce9ef6895b375b3e36c1cb8eb7d99d609e4146a7697c7835cde1a41990036c2854aeaa086fcd9ebce7262dc51d2acf111

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads