wannacry | 369ad5830734091f7442a3ba7df851ccf8540d4126ab3772bc3fbce21a581467

General

Target

bad3571f77a59efd21efa453606896c3_JaffaCakes118.dll
Size

5.0MB
MD5

bad3571f77a59efd21efa453606896c3
SHA1

16645afb980c20778ef2ba8d3cbcf0182a0b3778
SHA256

369ad5830734091f7442a3ba7df851ccf8540d4126ab3772bc3fbce21a581467
SHA512

aa6ba439098395f2759314245f96a47fdc66efc359669a7d94d70db9b6ae4b344d5de17ab14d8bdf79a077e956322582d787b32514f9d8ba959c410bd2f090ea
SSDEEP

98304:TDqPoBhz1aRxcSUDk+dOLZ8593R8yAVp2H:TDqPe1Cxcxk2OLazR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2674) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3012 mssecsvc.exe
3016 mssecsvc.exe
2040 tasksche.exe

pid	process
3012	mssecsvc.exe
3016	mssecsvc.exe
2040	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\c2-ec-e7-c5-a8-51	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecisionTime = 60df6ccd5bc1da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{452D8D09-F359-4BC8-B573-BE240584E621}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecisionTime = 60df6ccd5bc1da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-ec-e7-c5-a8-51\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2920 wrote to memory of 2976	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2976	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2976	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2976	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2976	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2976	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2976	2920	rundll32.exe	rundll32.exe
PID 2976 wrote to memory of 3012	2976	rundll32.exe	mssecsvc.exe
PID 2976 wrote to memory of 3012	2976	rundll32.exe	mssecsvc.exe
PID 2976 wrote to memory of 3012	2976	rundll32.exe	mssecsvc.exe
PID 2976 wrote to memory of 3012	2976	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bad3571f77a59efd21efa453606896c3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bad3571f77a59efd21efa453606896c3_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2976

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3012

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2040

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
63a1ebb4a57d3564763b1a6de97835c1

SHA1
082e2f982e5606596c25260aa0eb6c197a11e85a

SHA256
49d9893564973a2e3c22b121926d871e3447a61142b6a3ed71b8aadaaa82804d

SHA512
0709b77d941c33202c9a297f9db3e94a0b7f12cf3f8361e0b0cc74efb9da9684b02abf276a042e30d0d76435e362acbfd75c565178384fedefff5136d54ee186

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
cdbe35020810e2b545ee06bd059df24b

SHA1
fec4f7368185239203068f8c602c2e2f3122a64d

SHA256
fb1683f8cd99ddac334d24746912fa516c30da481f85a7a19601bf25f6670282

SHA512
cccbc466de9ede293bcb3ec4a9fcb2338200efa741053c60811b7057014bf508919a488b6907fb60afbc8cbbbb73935275e3458695e03b6e9a549bbb5dd45b09

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads