wannacry | e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f

General

Target

6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll
Size

5.0MB
MD5

6aa433b987f747ea18bd1daba29b19a6
SHA1

c4a60a470025c45d224276be50fe9ac8370ddee1
SHA256

e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f
SHA512

f5939aa010fc822d3b2017d6091b802f27d96f01c914b659280a862cb11b453a59a379772795c199c377171fc35dcc6208a13c2a716137aca7318bc5212c21e3
SSDEEP

24576:ObLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKt:OnjQqMSPbcBVQej/1INK

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3148) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

2020 mssecsvc.exe
2764 mssecsvc.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mssecsvc.exemssecsvc.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

2020 mssecsvc.exe
2764 mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious behavior: MapViewOfSection 47 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 2020 mssecsvc.exe
Token: SeDebugPrivilege 2764 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	2020	mssecsvc.exe
Token: SeDebugPrivilege	2764	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 3032 wrote to memory of 2368	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2368	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2368	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2368	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2368	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2368	3032	rundll32.exe	rundll32.exe
PID 3032 wrote to memory of 2368	3032	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 2020	2368	rundll32.exe	mssecsvc.exe
PID 2368 wrote to memory of 2020	2368	rundll32.exe	mssecsvc.exe
PID 2368 wrote to memory of 2020	2368	rundll32.exe	mssecsvc.exe
PID 2368 wrote to memory of 2020	2368	rundll32.exe	mssecsvc.exe
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	wininit.exe
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	wininit.exe
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	wininit.exe
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	wininit.exe
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	wininit.exe
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	wininit.exe
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	wininit.exe
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	csrss.exe
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	csrss.exe
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	csrss.exe
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	csrss.exe
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	csrss.exe
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	csrss.exe
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	csrss.exe
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	winlogon.exe
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	winlogon.exe
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	winlogon.exe
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	winlogon.exe
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	winlogon.exe
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	winlogon.exe
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	winlogon.exe
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	services.exe
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	services.exe
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	services.exe
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	services.exe
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	services.exe
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	services.exe
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	services.exe
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	lsass.exe
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	lsass.exe
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	lsass.exe
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	lsass.exe
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	lsass.exe
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	lsass.exe
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	lsass.exe
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	lsm.exe
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	lsm.exe
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	lsm.exe
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	lsm.exe
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	lsm.exe
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	lsm.exe
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	lsm.exe
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 672	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 672	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 672	2020	mssecsvc.exe	svchost.exe
PID 2020 wrote to memory of 672	2020	mssecsvc.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:2024

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
4⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:812

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:268

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1072

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1100

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
3⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2104

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:1664

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#1
3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b2b0bc696271321075d678c832b9db9c

SHA1
801343b88e1e276da1585564bcf22b9f114a48c0

SHA256
6729590951a87257c5509e08c3d6c12ecdc78645e478c387d660663fb93087ba

SHA512
3106db6137ec2d32e83c6024261878f2bbc2016e95f5213c4e6bdca8d792ca36e0b574fa85d57aaa46de5a91b9759826a72ab3b7f08e54737d0fd7fbb86e569b

Download Submit
memory/2020-9-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/2020-8-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

Filesize
4KB

Download
memory/2020-7-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2020-13-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2020-16-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2368-6-0x0000000002520000-0x0000000002B93000-memory.dmp

Filesize
6.4MB

Download
memory/2368-15-0x0000000002520000-0x0000000002B93000-memory.dmp

Filesize
6.4MB

Download
memory/2764-11-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2764-17-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads