wannacry | 02e4a7ebf81840f41a3c8b5e330a37977b7783120ed12deca77d30825266810d

General

Target

29a9dd686f08aacddacc43a0c57215f2_JaffaCakes118.dll
Size

5.0MB
MD5

29a9dd686f08aacddacc43a0c57215f2
SHA1

3ed8902c24568adafc3ac35d9b4c92ba02406e8c
SHA256

02e4a7ebf81840f41a3c8b5e330a37977b7783120ed12deca77d30825266810d
SHA512

28234611882e8facdb6feb0072d72d4c8790d57a2b5eba33074f914a0a04ee4d95f50a4c9038c04526db37b5678e5d53363fb3f0ea168e13d948aa950e0fc4d4
SSDEEP

12288:T1bLgmluCti62ybaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DuGEpGCsrp:RbLgurihdmMSirYbcMNgef0j6n

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2065) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 2 IoCs

pid	Process
612	mssecsvr.exe
2932	mssecsvr.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadDecision = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadNetworkName = "Network 3"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDecisionTime = 303362b429d0da01	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadDecisionTime = 303362b429d0da01	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\1e-fd-53-ca-e5-b2	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 708	2352	rundll32.exe	29
PID 2352 wrote to memory of 708	2352	rundll32.exe	29
PID 2352 wrote to memory of 708	2352	rundll32.exe	29
PID 2352 wrote to memory of 708	2352	rundll32.exe	29
PID 2352 wrote to memory of 708	2352	rundll32.exe	29
PID 2352 wrote to memory of 708	2352	rundll32.exe	29
PID 2352 wrote to memory of 708	2352	rundll32.exe	29
PID 708 wrote to memory of 612	708	rundll32.exe	30
PID 708 wrote to memory of 612	708	rundll32.exe	30
PID 708 wrote to memory of 612	708	rundll32.exe	30
PID 708 wrote to memory of 612	708	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29a9dd686f08aacddacc43a0c57215f2_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\29a9dd686f08aacddacc43a0c57215f2_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:612

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
b304073942fba0ddb2c4e201e6a56afe

SHA1
3d11a91ce696461e97b21a138bed49004861df83

SHA256
b8a9a06be3f08243eb994503369be36ed71701b28c07dd98d84ed8f434de0a6d

SHA512
d02d8eeecad65b2a118098373b2eda96de9d4c061cfda3aaccda91b272ab9b8b6de24b3a99cc4d7c61a34c879af5a3df08f6ce618441f9f27433eadccee9b088

Download Submit

Analysis

Sharing