wannacry | 11c19920ef168df4545e9e3984e99921c5010d00c3464747708bb1eff0c805a1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e007b414085a1219d9cce4421396985_JaffaCakes118.dll
Size

5.0MB
MD5

1e007b414085a1219d9cce4421396985
SHA1

9cbe2960476907fc1d000edb950a50e672b6d2c7
SHA256

11c19920ef168df4545e9e3984e99921c5010d00c3464747708bb1eff0c805a1
SHA512

fbe4608bb23fdb05f0bb1cb63ca65a50a9a36e75cce59fa66086ac58b18a1bf771cc24ef39ce994fdfdb56c1b1600b41048d41af23b06faa4ba6f772c6e20064
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8h:TDqPe1Cxcxk3ZAEUadzR8h

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3357) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3120 mssecsvc.exe
4880 mssecsvc.exe
2140 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3120	mssecsvc.exe
4880	mssecsvc.exe
2140	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1240 wrote to memory of 3416	1240	rundll32.exe	rundll32.exe
PID 1240 wrote to memory of 3416	1240	rundll32.exe	rundll32.exe
PID 1240 wrote to memory of 3416	1240	rundll32.exe	rundll32.exe
PID 3416 wrote to memory of 3120	3416	rundll32.exe	mssecsvc.exe
PID 3416 wrote to memory of 3120	3416	rundll32.exe	mssecsvc.exe
PID 3416 wrote to memory of 3120	3416	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e007b414085a1219d9cce4421396985_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e007b414085a1219d9cce4421396985_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3416

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3120

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2140

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
4273e84188d97b57df0fb5c56b7c9f88

SHA1
c18add2e7dfcbec8101cb63e716fdfb3f7548d09

SHA256
9ba491aa2bcd81fe15f28b15d0a9776ab93a3b824500850278af6feb1b89ad24

SHA512
3ecc9cefa43ffd7354d90576e3643cc24f77688027fae924f59b73af59d690a286352ed54616ba6536d3f20a2fad28ae78e047c276e31709d538b8fb8117a2d8

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
e566f5f3d412da087df1ef0b1469c332

SHA1
7e9a5087f581be60552960b16b3220128d2047b5

SHA256
cbb5272b1bc3a4bbb2380f4801cc3f1ea84ba07d03b3bb6b2f32b7716cd50d08

SHA512
8e1d0e58d8e09d11f6c93679549c9ae836f2c73192fee9e2db6a7b6032ff6fede11533e227881017213c83fb5ae928cf5c642f5da0f5a1f69149a0637d8dc5d3

Download Submit