wannacry | e58460224496dbc08ff03c6162cf20e6e5b0b7e38acd0e6fec4003a6a090eb2e

General

Target

47765f90c0fb0320afb71996d787206e_JaffaCakes118.dll
Size

5.0MB
MD5

47765f90c0fb0320afb71996d787206e
SHA1

8dbc1243d4b0c8cda1d483d7386bc30cb29e5482
SHA256

e58460224496dbc08ff03c6162cf20e6e5b0b7e38acd0e6fec4003a6a090eb2e
SHA512

87ddb73ffbf29399f5cafd1772ad84c88108bb96c736df75c2b0753d000cc0bf813267cd3b356e28dfc855c87182fbee2abc491629dda38a160e10b4f7a8191e
SSDEEP

12288:T1bLgmluCti62WfSm0iEcQhfYNvrTcbckPU82900Ve7zw+K+DH:RbLguriIfEcQdIvrYbcMNgef0Q

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2095) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

2356 mssecsvr.exe
2892 mssecsvr.exe
2808 tasksche.exe

pid	process
2356	mssecsvr.exe
2892	mssecsvr.exe
2808	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe

Drops file in Windows directory 4 IoCs

Processes:

rundll32.exemssecsvr.exetasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259486228	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABFF4CFC-4B71-48CC-87D8-8577C04FAFA6}\WpadNetworkName = "Network 3"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0190000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABFF4CFC-4B71-48CC-87D8-8577C04FAFA6}	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABFF4CFC-4B71-48CC-87D8-8577C04FAFA6}\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-df-15-72-c8-96	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABFF4CFC-4B71-48CC-87D8-8577C04FAFA6}\6e-df-15-72-c8-96	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABFF4CFC-4B71-48CC-87D8-8577C04FAFA6}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ABFF4CFC-4B71-48CC-87D8-8577C04FAFA6}\WpadDecisionTime = 80ddc2fb4ed6da01	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-df-15-72-c8-96\WpadDecisionReason = "1"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-df-15-72-c8-96\WpadDecisionTime = 80ddc2fb4ed6da01	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-df-15-72-c8-96\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tasksche.exe

pid process

2808 tasksche.exe

pid	process
2808	tasksche.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exe

description	pid	process	target process
PID 2716 wrote to memory of 2460	2716	rundll32.exe	rundll32.exe
PID 2716 wrote to memory of 2460	2716	rundll32.exe	rundll32.exe
PID 2716 wrote to memory of 2460	2716	rundll32.exe	rundll32.exe
PID 2716 wrote to memory of 2460	2716	rundll32.exe	rundll32.exe
PID 2716 wrote to memory of 2460	2716	rundll32.exe	rundll32.exe
PID 2716 wrote to memory of 2460	2716	rundll32.exe	rundll32.exe
PID 2716 wrote to memory of 2460	2716	rundll32.exe	rundll32.exe
PID 2460 wrote to memory of 2356	2460	rundll32.exe	mssecsvr.exe
PID 2460 wrote to memory of 2356	2460	rundll32.exe	mssecsvr.exe
PID 2460 wrote to memory of 2356	2460	rundll32.exe	mssecsvr.exe
PID 2460 wrote to memory of 2356	2460	rundll32.exe	mssecsvr.exe
PID 2356 wrote to memory of 2808	2356	mssecsvr.exe	tasksche.exe
PID 2356 wrote to memory of 2808	2356	mssecsvr.exe	tasksche.exe
PID 2356 wrote to memory of 2808	2356	mssecsvr.exe	tasksche.exe
PID 2356 wrote to memory of 2808	2356	mssecsvr.exe	tasksche.exe
PID 2356 wrote to memory of 2808	2356	mssecsvr.exe	tasksche.exe
PID 2356 wrote to memory of 2808	2356	mssecsvr.exe	tasksche.exe
PID 2356 wrote to memory of 2808	2356	mssecsvr.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47765f90c0fb0320afb71996d787206e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\47765f90c0fb0320afb71996d787206e_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2460

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2356

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2808

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\tasksche.exe

Filesize
2.0MB

MD5
207e037f425e0f4eb3b653361d501102

SHA1
5f4e7b0b2332ca50bbad86ce9087da925858b205

SHA256
bc1ad52ffe87ffcf4b015df7d1a3db624a19a0c7923bcdd211a9006de851b742

SHA512
0a2b4a3df913786b4628dd23973e2472fc1e144921e024be5ef2f53774b561faaeec969ea49927c93534d84440e632f53fc584548f213d535bd962fdf35639af

Download Submit
C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
086e1eaa4896fa6e97cc95522a841bbb

SHA1
861827995bea79099ccae3f5defb62eb8ac5e00e

SHA256
5a5b35cce64dcf8a72ba98d6c34467b0b3a1ecc7bc29163feb5740ea3f42dac1

SHA512
8cf9326b88d4d96b220a765f216928f36f5cb2cf4e34dea611c46fca97fea1082dacc4f159cb58aa36ef3819dfa52d182e73b4dca193fb8a50fa8a48dd53c52d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads