wannacry | b90382ed0462a0c27a4edec0bc952549846f0616e2e4c700d9c2da065bb28208

General

Target

57967b6e7787ff7365db472b97691ca1_JaffaCakes118.dll
Size

5.0MB
MD5

57967b6e7787ff7365db472b97691ca1
SHA1

c7c888ac1b1b48275b16dbd34abd23daa8cec8da
SHA256

b90382ed0462a0c27a4edec0bc952549846f0616e2e4c700d9c2da065bb28208
SHA512

2567d5851479d4d0b60803db6600a809988a4a7cc8e29375a943f6028074b497d5a952cc3a2ab03618f2749da7a1aceaae449939c91fc1f7d9a4d2fbe7be9474
SSDEEP

49152:RnnMSPbcBVQej/1INRx+TSqTdXr6SAARdhnv:1nPoBhz1aRxcSUN6SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3121) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 2 IoCs

pid	Process
2640	mssecsvr.exe
2892	mssecsvr.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YO0OMPL2.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\60EXS6J6.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\60EXS6J6.txt	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\YO0OMPL2.txt	mssecsvr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0331B96-20D9-4CB4-BB1B-020D5FA3AB1F}\WpadDecision = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7d-5d-d0-53-f0\WpadDecision = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7d-5d-d0-53-f0\WpadDecisionReason = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0331B96-20D9-4CB4-BB1B-020D5FA3AB1F}\WpadDecisionTime = 2009698618d9da01	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0331B96-20D9-4CB4-BB1B-020D5FA3AB1F}\WpadNetworkName = "Network 3"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0331B96-20D9-4CB4-BB1B-020D5FA3AB1F}\4a-7d-5d-d0-53-f0	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7d-5d-d0-53-f0\WpadDecisionTime = 2009698618d9da01	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0091000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0331B96-20D9-4CB4-BB1B-020D5FA3AB1F}	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0331B96-20D9-4CB4-BB1B-020D5FA3AB1F}\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7d-5d-d0-53-f0	mssecsvr.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2760	2708	rundll32.exe	30
PID 2708 wrote to memory of 2760	2708	rundll32.exe	30
PID 2708 wrote to memory of 2760	2708	rundll32.exe	30
PID 2708 wrote to memory of 2760	2708	rundll32.exe	30
PID 2708 wrote to memory of 2760	2708	rundll32.exe	30
PID 2708 wrote to memory of 2760	2708	rundll32.exe	30
PID 2708 wrote to memory of 2760	2708	rundll32.exe	30
PID 2760 wrote to memory of 2640	2760	rundll32.exe	31
PID 2760 wrote to memory of 2640	2760	rundll32.exe	31
PID 2760 wrote to memory of 2640	2760	rundll32.exe	31
PID 2760 wrote to memory of 2640	2760	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\57967b6e7787ff7365db472b97691ca1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\57967b6e7787ff7365db472b97691ca1_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2640

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
b9ada40ac6b58c2325d073c89e577f1f

SHA1
9d9ce5b885b22ea1a9e0c61bbfcf68acd5608792

SHA256
c97fb78371881b13c74d14a904ad8c23fc67f12a2d86b71b02c5b4481e3f95fe

SHA512
da968bbecc76ab7e444e026e6bcecd15b417005796d649b909b72420f4c23469a688d9d083fc6138f9922460e56052232e69ec8758a3b535bac4f12477e6e4c2

Download Submit

Analysis

Sharing