wannacry | c8e9a5082f10f794d2857e5c0edf2e3ea3301cfb1704bb2d0f9a93fe0e6564f1

General

Target

b620ebce74a3722976722cb24b0a2360_JaffaCakes118.dll
Size

5.0MB
MD5

b620ebce74a3722976722cb24b0a2360
SHA1

5966290ded08c6cbca1bcffb9fc71d996bfdb1d5
SHA256

c8e9a5082f10f794d2857e5c0edf2e3ea3301cfb1704bb2d0f9a93fe0e6564f1
SHA512

1198e5c62e27c53c2dde5c832bc7effb61d172f6701623ea7c80664f8ae3da6985e397d03d980f297abd7d5b37a377165589dfb237ba584e3531655e32e4f4b4
SSDEEP

49152:SnAQqMSPbcBVQej/1INRPT2becwT6DGMIBHuLZyLUcRhRt/IbmwW6HlAH:+DqPoBhz1aR6bevWSdOLZSPebdWI2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3178) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1640 mssecsvc.exe
2276 mssecsvc.exe
2668 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1640	mssecsvc.exe
2276	mssecsvc.exe
2668	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionTime = 60304fc653c0da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\d6-8e-05-c7-1d-61	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionTime = 60304fc653c0da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1976 wrote to memory of 1872	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1872	1976	rundll32.exe	rundll32.exe
PID 1872 wrote to memory of 1640	1872	rundll32.exe	mssecsvc.exe
PID 1872 wrote to memory of 1640	1872	rundll32.exe	mssecsvc.exe
PID 1872 wrote to memory of 1640	1872	rundll32.exe	mssecsvc.exe
PID 1872 wrote to memory of 1640	1872	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b620ebce74a3722976722cb24b0a2360_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b620ebce74a3722976722cb24b0a2360_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1872

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1640

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2668

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
1133bd59d2a2be03a78e5e9e659d57ea

SHA1
1eeacd3eac2965cdadd8dcf2076059eddace14cb

SHA256
b58779c949f829522d5532ece5f07eb60ff37283589e3b56de1302fd1f1c764b

SHA512
9aff80d7a112bc72d1b272a683401230dc3a4055bc1f805f091e8151b4760e53cb180afd85e34d0d00cf88c1008e43c8d9be36be99f588801359c179398aa854

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
bfe3d79dcd9f5cc07296e136bfc5d39d

SHA1
ce039d1351c6a9b906ca30ff390f025f3c555dcc

SHA256
91cae35cbc7bf141324590e16f02ec9c50a042c49d58477e30675de35adaeac5

SHA512
bc81a9584440cda71a597f7571fea02e3f9285d154297bbe1d40dceb9ecc3a8bc928bc3107aaa41aabcd69bc9c8761c4b4966d0e9bbedf7203c32b495d66445f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads