wannacry | 278e4c2c8aac93dc902d29f7b28f631635615c9e2e8bf7211b476b36a763c8a4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll
Size

5.0MB
MD5

08dc108f0734ca16b6d0b460cfa4d0c0
SHA1

124ad52c06bbdbbf8c24870dc934c95f72c6c05d
SHA256

278e4c2c8aac93dc902d29f7b28f631635615c9e2e8bf7211b476b36a763c8a4
SHA512

ef0858975a37c826c8203d37899f649542a8df27993a163817f7cc4c6c6c06c7a4527d00c224472e4403261c74f4dc4f31aa6164747ea2e597f1a5a81480b0cc
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6XEauR:+DqPoBhz1aRxcSUDk36+R

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2672) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1724 mssecsvc.exe
3696 mssecsvc.exe
1868 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1724	mssecsvc.exe
3696	mssecsvc.exe
1868	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4800 wrote to memory of 392	4800	rundll32.exe	rundll32.exe
PID 4800 wrote to memory of 392	4800	rundll32.exe	rundll32.exe
PID 4800 wrote to memory of 392	4800	rundll32.exe	rundll32.exe
PID 392 wrote to memory of 1724	392	rundll32.exe	mssecsvc.exe
PID 392 wrote to memory of 1724	392	rundll32.exe	mssecsvc.exe
PID 392 wrote to memory of 1724	392	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:392

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1724

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1868

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
14d4a723552be20b4693a0e745fe28cc

SHA1
b6166ab202dfaa2846d6d0032d5b06d480b8029c

SHA256
4c44aa0340082e2355e34c3c0c8bff4acb82a9c6e13d0648c49c7a1ad31cd5f1

SHA512
7b338244fab55524a574424bd273f2baefe2939f6b64f90ed2ce8806a5437a54acd034eb1fb1c4dbd365612d89b03662bafccb7ddafb8d1b5e501ffab7e796a3

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
977d14687ac48449af995433ec634112

SHA1
7696e47f7277f883ed5279253d8d44983cd39642

SHA256
14ad323ba4a71502781d82377c795d42e2f3ebf76c8a5a54c20ecaf7a5782afd

SHA512
23de95bb9a49e2e876d818f79873deb48ea55e99ff2d3df61fab7e540a8d1b04ed4d03b2eb565aa14ddb7a1fe0abd1a2e911eb24948840e9a20fc4b026294ade

Download Submit