wannacry | ea099596630fe3ae3bd5ee95f34160126e3bc347bf91251011b0767a1c591f94

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02420505830101d5633fd68ba3a62685_JaffaCakes118.dll
Size

5.0MB
MD5

02420505830101d5633fd68ba3a62685
SHA1

2166f4b0c0eb29fe283fbae7116c518b235bb7e3
SHA256

ea099596630fe3ae3bd5ee95f34160126e3bc347bf91251011b0767a1c591f94
SHA512

542692c40ba7ffbdac02807d058bd5fa70d1058936913414d440cb8e7734a4ee5aee22acc270d96bd09e5631feaf1c72b32732c23c17d7e8d96fbde998644c04
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTd31HkQo6uAMEcpZ:+DqPoBhz1aRxcSU3k36u5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2660) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1244 mssecsvc.exe
1952 mssecsvc.exe
824 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1244	mssecsvc.exe
1952	mssecsvc.exe
824	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 880 wrote to memory of 2540	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 2540	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 2540	880	rundll32.exe	rundll32.exe
PID 2540 wrote to memory of 1244	2540	rundll32.exe	mssecsvc.exe
PID 2540 wrote to memory of 1244	2540	rundll32.exe	mssecsvc.exe
PID 2540 wrote to memory of 1244	2540	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\02420505830101d5633fd68ba3a62685_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\02420505830101d5633fd68ba3a62685_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2540

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1244

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:824

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a29483df1364dc32e6b25ebe75972208

SHA1
ce72c64eb4b8a2c9156ff23261f0dddc6a9326bd

SHA256
b5f4f785368bb394d75a296e39505e81065927bcda6630962d6d8c3a6838e71a

SHA512
5d16eebfad1e2fc0c8cdba9d89bb905b7732d2ac5d3b6e60c05e8a9e4e160c6b4e306c2665a6dc8cfaff6282d95e3c1bcc0345079efd6baaf63e7ac1ab518841

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3d4c3be36f39bd91bfdb5f61ff265f3a

SHA1
ea2c72af7cbd60462d42d3362c86403fd0a454bb

SHA256
31ed7aaa7c2c55baf8045b42f4eef4a6d076e67853bf1f33660924c24afbf04e

SHA512
879414492ee70a0b82de9d4aad635640464bf2bf5cba4bd8c4091a3ce755084faa019a363cf753721e41109de1d38d606b9d618fb225162979808587c83bb661

Download Submit