wannacry | 056711fcd000139ea3c4f68ab7bf037d6b9e17364921434d809dac41df02375f

General

Target

af6f6a5074b46216c322964b72f1def4_JaffaCakes118.dll
Size

5.0MB
MD5

af6f6a5074b46216c322964b72f1def4
SHA1

da3b3628ce94c206129934f2bb62705001192760
SHA256

056711fcd000139ea3c4f68ab7bf037d6b9e17364921434d809dac41df02375f
SHA512

0d3e140aa158c7f6272a8e737977705d3eb2de664158a344353ede8b33395c9d03177ce760b99b9796fb73f8fe369b6a19c5c24c6a3b698d6e039910e045cf67
SSDEEP

98304:+7qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp:+7qPe1Cxcxk3ZAEUadzR8yc

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2663) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2000 mssecsvc.exe
2488 mssecsvc.exe
1896 tasksche.exe

pid	process
2000	mssecsvc.exe
2488	mssecsvc.exe
1896	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\9a-15-cb-b8-8e-a5	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-15-cb-b8-8e-a5\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-15-cb-b8-8e-a5\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-15-cb-b8-8e-a5\WpadDecisionTime = 50069bb044bfda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-15-cb-b8-8e-a5	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\WpadDecisionTime = 50069bb044bfda01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1936 wrote to memory of 1684	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1684	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1684	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1684	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1684	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1684	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 1684	1936	rundll32.exe	rundll32.exe
PID 1684 wrote to memory of 2000	1684	rundll32.exe	mssecsvc.exe
PID 1684 wrote to memory of 2000	1684	rundll32.exe	mssecsvc.exe
PID 1684 wrote to memory of 2000	1684	rundll32.exe	mssecsvc.exe
PID 1684 wrote to memory of 2000	1684	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af6f6a5074b46216c322964b72f1def4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af6f6a5074b46216c322964b72f1def4_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1684

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2000

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1896

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
1cbe480310f9bc9ccfe4292e0fadbecf

SHA1
f534ec78b37c0b4385ecf8329aee3fb38283c2e8

SHA256
1762ee3efcb40c091d7df8d8c0b0a4b255d2bc45e41e3f3c16278adc44af7647

SHA512
75ddcd063c3fb341b2363a668a1f7933bdd7f7d31fa5b69163c2f0c797318802aa18fd448143ef32023b18085cd44b9250ebd6a6b002af3fec98019a21e5457f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a30252e529176999fc14a8c7ae2fd66f

SHA1
9f2e9910b290b01786fd89baef5449879bc9a182

SHA256
5081fc16a09228c4bb6d0985f9172614d588d6098420119043b63455f910a33f

SHA512
40fc6dcc69e983802515735a9ccc067ad0f6cec4033a226c2da913c193f0e2a9b12e4152b06b61417d394b99ddce3b8b98fdf605f1fbdebf67717eca5def2b25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads