wannacry | 61fb253b656b4ec88782baaf9e8e741e32789dce3ced825e65edafc0a060cc09

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

272c2091af2a86707aad37c311833152_JaffaCakes118.dll
Size

5.0MB
MD5

272c2091af2a86707aad37c311833152
SHA1

24dc6608fcda83c32386154231c5f317442bf054
SHA256

61fb253b656b4ec88782baaf9e8e741e32789dce3ced825e65edafc0a060cc09
SHA512

ab87f2093012314d4d17fcd70bec10ab1b7d1651917651dca6949aa0b40c97395f86a6353a126e4dd0e6f972dcd3411295c560ebb7414fb9772b5889dd014b95
SSDEEP

12288:yebLgPlu+QhMbaIMu7L5NVEr7CgNt1F0vnwqYYcIOzidenqEAqb:zbLgddQhfdmMKkqYYLZW

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3248) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4928 mssecsvc.exe
944 mssecsvc.exe
3784 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4928	mssecsvc.exe
944	mssecsvc.exe
3784	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4548 wrote to memory of 1768	4548	rundll32.exe	rundll32.exe
PID 4548 wrote to memory of 1768	4548	rundll32.exe	rundll32.exe
PID 4548 wrote to memory of 1768	4548	rundll32.exe	rundll32.exe
PID 1768 wrote to memory of 4928	1768	rundll32.exe	mssecsvc.exe
PID 1768 wrote to memory of 4928	1768	rundll32.exe	mssecsvc.exe
PID 1768 wrote to memory of 4928	1768	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\272c2091af2a86707aad37c311833152_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\272c2091af2a86707aad37c311833152_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1768

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4928

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3784

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a14940982d106793db3fe9ff40ce8715

SHA1
838065abf69b9227f1439da90e70fbcea80f8c72

SHA256
52bd0d456735ce4f4e54e219e28717061fefc18ec25df16d1b267ce64a1c1bf9

SHA512
f6442e0317b691e35e8d27772b614595f1b28a5f7e3256a9c001c186e6a408f5eacc7f78c5d0a7d6e326038f296cdf7bbcefb924ad8b83941374e45510282734

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
e3ebe4b64382f80797bb8acfde1dd60e

SHA1
e4d63cc604e6b917c4f337e5def6e192b4251a39

SHA256
cc70de3779ee5c15815f7d8a47eedae8acf61d63b72576fae707da658d6859d0

SHA512
2641b36546170cd308c279ce94da99dfec425641fd2c8d3fcbc29f8a9256bb8b021ad18d4245661c5b69cc8ff4f488772d9d2a942dea6fbc038a5572f6670630

Download Submit