wannacry | 92d633e2d8c94ffebb60507abc1e7cb893c4131661e1b41fa7032a6dda6b76aa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c166c3b9e6f879ab7f33115d5a252a1_JaffaCakes118.dll
Size

5.0MB
MD5

0c166c3b9e6f879ab7f33115d5a252a1
SHA1

fba4b04f54ca357eb1dc3733a95fb6fe5a9c514e
SHA256

92d633e2d8c94ffebb60507abc1e7cb893c4131661e1b41fa7032a6dda6b76aa
SHA512

ad5bfaec08933783500af6867110ea0329071da68012f33fa31feecea72c4a19e3c027d9065f18c2a4e35fd32787172bae57d9b5b94d1f45ad4022f9e439b9c7
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2892 mssecsvc.exe
3128 mssecsvc.exe
1948 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2892	mssecsvc.exe
3128	mssecsvc.exe
1948	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4120 wrote to memory of 320	4120	rundll32.exe	rundll32.exe
PID 4120 wrote to memory of 320	4120	rundll32.exe	rundll32.exe
PID 4120 wrote to memory of 320	4120	rundll32.exe	rundll32.exe
PID 320 wrote to memory of 2892	320	rundll32.exe	mssecsvc.exe
PID 320 wrote to memory of 2892	320	rundll32.exe	mssecsvc.exe
PID 320 wrote to memory of 2892	320	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c166c3b9e6f879ab7f33115d5a252a1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c166c3b9e6f879ab7f33115d5a252a1_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:320

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2892

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1948

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
1746e65adf2fe07b737bb5764cabc2e4

SHA1
dd36351521b6584791d5b6fb939142536b71e604

SHA256
1a3341416f9f7b3bfac2648e4d00148bef03d4608a8dd17c2363a8e0cf0dbc0b

SHA512
2e24058fd5497663e0f82b9039cc6eb7586c6c1674cb10b881f7dec463b6f9df1beee3327b889a6664fd76e68ff0b758c201ffb7c8dc00932f5996b380505a1d

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
bdcd1b50b28cdd7e1bb29004ac43edd7

SHA1
c892dfb02d544d7a4b58b47b25d4717cecc49786

SHA256
46777ac11360c778db1f288990885a5a144f0b82e9e3632c3d64218bfe4cd1d7

SHA512
d03ed482cd25c2c797c04a024733dff0a450119c59f1c1a03999187503b3672cf05fcdb093baf69015a5e16cacdc120fa807e5e2d497814101d2c009afc7ae2b

Download Submit