wannacry | c6a3250501aca122f8ada0a3d9b7586144a17ea89ff5730d2537b9a3942927ba

General

Target

b2f17d000ec84280617f1b2d0c9acd03_JaffaCakes118.dll
Size

5.0MB
MD5

b2f17d000ec84280617f1b2d0c9acd03
SHA1

6972b0feef439cdfae2a7b77de7c30d21c63064b
SHA256

c6a3250501aca122f8ada0a3d9b7586144a17ea89ff5730d2537b9a3942927ba
SHA512

5083fc7761d87a142a2216e29fdbb57c60cd17f9ddee7b3427eaf1ee526822464062dc763992486b3ba99d45c2d713ad879690f0f39b2774fb1ae301d5ef9405
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM:+DqPoBhz1aRxcSUDk36SAEdhvxW

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3341) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2328 mssecsvc.exe
2616 mssecsvc.exe
2604 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2328	mssecsvc.exe
2616	mssecsvc.exe
2604	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadDecisionTime = 5060bd1bd5bfda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b\WpadDecisionTime = 5060bd1bd5bfda01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\5e-6d-4b-d7-b9-1b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2244 wrote to memory of 2036	2244	rundll32.exe	rundll32.exe
PID 2244 wrote to memory of 2036	2244	rundll32.exe	rundll32.exe
PID 2244 wrote to memory of 2036	2244	rundll32.exe	rundll32.exe
PID 2244 wrote to memory of 2036	2244	rundll32.exe	rundll32.exe
PID 2244 wrote to memory of 2036	2244	rundll32.exe	rundll32.exe
PID 2244 wrote to memory of 2036	2244	rundll32.exe	rundll32.exe
PID 2244 wrote to memory of 2036	2244	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 2328	2036	rundll32.exe	mssecsvc.exe
PID 2036 wrote to memory of 2328	2036	rundll32.exe	mssecsvc.exe
PID 2036 wrote to memory of 2328	2036	rundll32.exe	mssecsvc.exe
PID 2036 wrote to memory of 2328	2036	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2f17d000ec84280617f1b2d0c9acd03_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2f17d000ec84280617f1b2d0c9acd03_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2036

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2328

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2604

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
46f4cfb7f7f58d504a7c00827485cfb3

SHA1
1be4dbb360bc57c769a5af1b21c97d40d4af9450

SHA256
00097cd13fec6bff5ba96e8a9b4c519bd2dc9d032a99217cf2b006553190e1dd

SHA512
2d3b97f98b06f5b11aa2aa4279789f8f5bb21ee723db4a2de678a85cf3e5e40bf3cb1b404e9f0cefa4c185eca7fae889c8ae8cbad18d02adf4ccefcdb62372d7

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
d8f5582b163c409bfe9b7a9884260fae

SHA1
a8a9f4a7d7fbc127ed5a64c1ae165506c38ffdaa

SHA256
21a13187f4df8d4fd86d718e89f5226ed1fa62cdee010b459da3fbe4f8501786

SHA512
42c10f5c46cd7f7990d5924c848c91c4c903f83c49860eba052215b7c9d854b532931af6fdbdc2f2052f0dc22479803407601779d4d40c9f05d769fad68ec36c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads