wannacry | 82a0d5ac32187da31b69923155997abab150b43d5cd215aebba73893c35679e1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b81e7be5881e4d21e3330bfb951a81_JaffaCakes118.dll
Size

5.0MB
MD5

16b81e7be5881e4d21e3330bfb951a81
SHA1

18686a14f40b7349eaf6ddc1bdad8737840b9186
SHA256

82a0d5ac32187da31b69923155997abab150b43d5cd215aebba73893c35679e1
SHA512

13460fd5eff2e0c19531c2f822e7a17180a37c0fd503852b0cfab91baabaf7687a37681468d57efa33819cff5e84f1daa3b6d593d308ded2609c94af219bf042
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3306) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4584 mssecsvc.exe
4988 mssecsvc.exe
1520 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4584	mssecsvc.exe
4988	mssecsvc.exe
1520	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3228 wrote to memory of 1228	3228	rundll32.exe	rundll32.exe
PID 3228 wrote to memory of 1228	3228	rundll32.exe	rundll32.exe
PID 3228 wrote to memory of 1228	3228	rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 4584	1228	rundll32.exe	mssecsvc.exe
PID 1228 wrote to memory of 4584	1228	rundll32.exe	mssecsvc.exe
PID 1228 wrote to memory of 4584	1228	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16b81e7be5881e4d21e3330bfb951a81_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\16b81e7be5881e4d21e3330bfb951a81_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1228

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4584

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1520

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
f4b7cb06e9c9796fa0c416dedf928b15

SHA1
5936e3ab9b36e5a435bae852f9e1714bab820224

SHA256
2d8fe1c77c3f60b0196ca1d39706bfb88d587e11df2c6bddcfa8bfde5015b029

SHA512
c714ebcc7e5f10f4f5e0a39cff45a82d4d04b3a621c6027227e405a5b87558c77ec03095218ac9b4d0f34858ff0388e46fcce2c70bd330e304f63c536d11cc26

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9c49e94d5e4d8204aa66093b625339fc

SHA1
de172a9dd2026c19273e4fc4d0977510e8333ddc

SHA256
fa8b4e1d3cb30b9f47202c1f4fc5ca6ab14a2cc5da0b37dd2cce487b04171a9b

SHA512
f5749b5a072a7f81a49fd8dfc47a0f98af8b7e117227c278619145e556d3624115a86a4b51e1ef038ee7d9eb28cd6ad367b4ff4adff0e8bd92d602e1a7ba12e8

Download Submit