wannacry | 9d33ac1ab2c888d415559679c344607099ce07e6ca68723d293e2f19a5f71e38

General

Target

b1761d337705ff449e5559e97e125670_JaffaCakes118.dll
Size

5.0MB
MD5

b1761d337705ff449e5559e97e125670
SHA1

55d2689d133802a68fb79cdb4db85a017a91986d
SHA256

9d33ac1ab2c888d415559679c344607099ce07e6ca68723d293e2f19a5f71e38
SHA512

6cc9d0fb7993205d035920ef7df28241cef47ef977c388b4f79bc1db02e1d90c325f98e5a384511a1ff4d4383caf621159f3582a5a39d98f61171698c7cbef5d
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAD9P593R8yAVp2H:TDqPe1Cxcxk3ZADdzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3171) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2360 mssecsvc.exe
2656 mssecsvc.exe
2784 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2360	mssecsvc.exe
2656	mssecsvc.exe
2784	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecisionTime = 602c7fc399bfda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecisionTime = 602c7fc399bfda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\76-01-0c-0e-65-4b	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3032 wrote to memory of 2144	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2144	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2144	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2144	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2144	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2144	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2144	3032	rundll32.exe	rundll32.exe
PID 2144 wrote to memory of 2360	2144	rundll32.exe	mssecsvc.exe
PID 2144 wrote to memory of 2360	2144	rundll32.exe	mssecsvc.exe
PID 2144 wrote to memory of 2360	2144	rundll32.exe	mssecsvc.exe
PID 2144 wrote to memory of 2360	2144	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1761d337705ff449e5559e97e125670_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1761d337705ff449e5559e97e125670_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2144

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2360

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2784

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
80b975342a13c58d3fe7d7be24a93307

SHA1
f1e9f87f2eb0e0a26f5654ecde6b2ec88556d655

SHA256
88e82d0982d24a21149b58ad4a591eae18c16cfdd7e19158d6ad2d74924a227a

SHA512
7f1bf3dcdea0a85a89d2edf6194df24df6d6d2b6cfe38b7909dc37593ef0a514450e0e93133bce0f1a792a808cd66e5ab0e4801eed31709be60c94d186999a91

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
66f1695c50220eb3721124945c8c77f2

SHA1
96660f4cc1b20edaf78c212f84f6d35e75073e9c

SHA256
c5dff97718c28e9194b31f3c86f457543ddb9fb58ea6119d4c7d61d697882541

SHA512
2b75913910b5858fcc796f999b15b07e9843190f53c529b12d11385f4d2072c68bab29e70050d4a513785874ce8a2470a3fbd1738e6180f09136d3aab08167a7

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads