wannacry | 63c263d083f3ce348478d83b813b1123cf15ef4d050a16260de07c353f80e570

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

124a758e02a9a0d87be9fc19782663c3_JaffaCakes118.dll
Size

5.0MB
MD5

124a758e02a9a0d87be9fc19782663c3
SHA1

bfc9202b513238772a19d00183b152be02a7b91f
SHA256

63c263d083f3ce348478d83b813b1123cf15ef4d050a16260de07c353f80e570
SHA512

881ecd25726b0c43c1c758cc0e8305fdb99b3bc011995987bb2daad78ee8f28b1de1b0e7fd1224b94591b8fe3926e72254ad42b0d3c39a0e6838ed5f603e9c28
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593B:+DqPe1Cxcxk3ZAEUadz

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3352) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3848 mssecsvc.exe
3628 mssecsvc.exe
2184 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3848	mssecsvc.exe
3628	mssecsvc.exe
2184	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2208 wrote to memory of 3040	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 3040	2208	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 3040	2208	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 3848	3040	rundll32.exe	mssecsvc.exe
PID 3040 wrote to memory of 3848	3040	rundll32.exe	mssecsvc.exe
PID 3040 wrote to memory of 3848	3040	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\124a758e02a9a0d87be9fc19782663c3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\124a758e02a9a0d87be9fc19782663c3_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3040

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3848

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2184

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
c650da2cda2f9dbaaf1d37951a123e0f

SHA1
ae7975b729e944bba43f23dd669c6b5c51c19325

SHA256
3659bb0a11ffe8b5d01bc209a8dea17d2b5377e24e5bb173408640359af7f370

SHA512
9d9c5fddb0c683a467cda3b446a0e25695de6d61a4a3fe4994549b4392d98fe26e1c5e1568ea053bf45cb59135daec6baa03c20501ddacf0937f2d82ac3c8dad

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
629ade0fc895fffd49e70c915b985d73

SHA1
459c891908e855e9188274da1949bab63f999f4c

SHA256
d4f7f12d8453a1eb294fbd39f001d417adf6a11eaa6e1bf91d7314c72eefce05

SHA512
005acc044d885bbb372e13c68433228473d32f0fc68c15b7a0ea6eab51bd746567abecdc12dcbac91569b98e6b7ec6285789eebd240314b7ce1397e103dd96ad

Download Submit