wannacry | ff30fed5d92ff55998b4660934a9c08a207d7836e31ac376611ab12e4ca368ae

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

116da80da197df9be520b7645bbc690d_JaffaCakes118.dll
Size

5.0MB
MD5

116da80da197df9be520b7645bbc690d
SHA1

d44af8a3934ea9c96cdc20fb4ac464da103b9a2b
SHA256

ff30fed5d92ff55998b4660934a9c08a207d7836e31ac376611ab12e4ca368ae
SHA512

ef83fd021fb27e9393f207ba2bf2b4001cf60da450ed0b51e8571e76601abf6e8da3e401170934d66090c322babd04ad0d49fce1fd7ae0865b6a9036ab4fb472
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqz4Xhyls6Es47gz2:SnAQqMSPbcBVQej/X4xy66ZWg

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2688 mssecsvc.exe
948 mssecsvc.exe
376 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2688	mssecsvc.exe
948	mssecsvc.exe
376	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4780 wrote to memory of 4328	4780	rundll32.exe	rundll32.exe
PID 4780 wrote to memory of 4328	4780	rundll32.exe	rundll32.exe
PID 4780 wrote to memory of 4328	4780	rundll32.exe	rundll32.exe
PID 4328 wrote to memory of 2688	4328	rundll32.exe	mssecsvc.exe
PID 4328 wrote to memory of 2688	4328	rundll32.exe	mssecsvc.exe
PID 4328 wrote to memory of 2688	4328	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\116da80da197df9be520b7645bbc690d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\116da80da197df9be520b7645bbc690d_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4328

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2688

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:376

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
7787e47e84763340fbfa014b468aaba6

SHA1
11a3438586a3ba1a2e2ef5268cbe9b096629332b

SHA256
10f59b2878cf42e6b34568c0b58babc57aa271fdd716051e05176a9aa60bb471

SHA512
aaa96a959288663065822a6b1e7dccf53519137da0f1c4a3cb156c62518ea19634fc4f7c02b890929638c7bb33e9534087149083c6f1840abe2d163f93834762

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
917d18da323a85f96ecdf23df2132392

SHA1
f8951b4ade4051cbd61c60ed8ca1575dc2fc436e

SHA256
a436eadb06e7ab6e9dd2875865b9c9ca9f8fa70b010e155282c11b4ed110dcab

SHA512
d63326d792e64f529591dd4b413b7b4c4713513ce81500b6cb7b1f99337697a9575a9471ed7dc8c5968dab5d312e652625db33d920f1ca4dcada68127d0745e6

Download Submit