wannacry | 6404a8df234f2da6f6ebf9196f1e746fd22a04c5ff2794faeecacf93794883e8

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ff9a0d6e9b947b5c476286f2306850_JaffaCakes118.dll
Size

5.0MB
MD5

26ff9a0d6e9b947b5c476286f2306850
SHA1

5cc5f9f10e24dc87edd2046cbf07d2c4c78ecba3
SHA256

6404a8df234f2da6f6ebf9196f1e746fd22a04c5ff2794faeecacf93794883e8
SHA512

5d922ef9921660a4186a1224e07215943204d88bac1fe34e26fbd75930755a80ea6840cc5dba524b37e977d3388d07f783d65713054574fd21809baedd09413f
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0zpcL7nEaut/8uME7A4BGccEAHYkRGra8oQPe:SnAQqMSPbcBVzaEau3R8ZZROAx

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3308) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3152 mssecsvc.exe
1596 mssecsvc.exe
228 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3152	mssecsvc.exe
1596	mssecsvc.exe
228	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3044 wrote to memory of 2236	3044	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 2236	3044	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 2236	3044	rundll32.exe	rundll32.exe
PID 2236 wrote to memory of 3152	2236	rundll32.exe	mssecsvc.exe
PID 2236 wrote to memory of 3152	2236	rundll32.exe	mssecsvc.exe
PID 2236 wrote to memory of 3152	2236	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26ff9a0d6e9b947b5c476286f2306850_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\26ff9a0d6e9b947b5c476286f2306850_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2236

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3152

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:228

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
80ae678346ca878eb852b1417cede4b9

SHA1
b45c51308a8f50bdc12b549a8a230654ae6aee33

SHA256
58066735988212568a4b5b557b124e2bd5a801962d8b70a1db4812a9bfd2d5b4

SHA512
181b23000caaa36d702a23dd06719c37e5d0b9e3c4b8f693139e3e45594deb27f6c5463da3cc61a6526836d0c9ac7c48896c4d265a20bb66a3da9f23340886c2

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
ebafaed3b3f761bf8f4b4babd9abbc24

SHA1
d6de46221231a0bcf8049233efa0d46bc5a603e3

SHA256
f1ec161e18d514d574e7c066c97eb5bd702c56408085e91319b33d2075f6adf7

SHA512
c2852b375c60caf73f96ec91a69a40f63d970d0363b559d70bc6816c934e169dae175e4b007df12077d41cd51a9987fd27d6c863aaaa5101454a5ebbee0eac5a

Download Submit