wannacry | a6d9d43e0cdb001b30bb74e5a3ae6522283f1ec7390ec6d44ff0ed68d04756f4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23bf1b61c93c034a3c70831b6e8a4d70_JaffaCakes118.dll
Size

5.0MB
MD5

23bf1b61c93c034a3c70831b6e8a4d70
SHA1

93169ea4673c1ae96a419af53bb0d8f78f0f3036
SHA256

a6d9d43e0cdb001b30bb74e5a3ae6522283f1ec7390ec6d44ff0ed68d04756f4
SHA512

65c25fa577fa9962a94615c6f6057f710e3d41ca6a887f4419cfec3262602c8148d52e5793639fc2f3de7b2e844f74b5f2d58c6b53a312ed5c98fa3ab65dcbae
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPVXmiF2:SnAQqMSPbcBVQej/1INRx+TSqTdX1Z

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3238) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1120 mssecsvc.exe
3776 mssecsvc.exe
4412 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1120	mssecsvc.exe
3776	mssecsvc.exe
4412	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1200 wrote to memory of 4748	1200	rundll32.exe	rundll32.exe
PID 1200 wrote to memory of 4748	1200	rundll32.exe	rundll32.exe
PID 1200 wrote to memory of 4748	1200	rundll32.exe	rundll32.exe
PID 4748 wrote to memory of 1120	4748	rundll32.exe	mssecsvc.exe
PID 4748 wrote to memory of 1120	4748	rundll32.exe	mssecsvc.exe
PID 4748 wrote to memory of 1120	4748	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23bf1b61c93c034a3c70831b6e8a4d70_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23bf1b61c93c034a3c70831b6e8a4d70_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4748

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1120

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
316630ad6353535d7fe76672084c999d

SHA1
c687aa75e9b8fb423b97594798dfe695d59e77ad

SHA256
6e1bf8d9364d1c960333b94dad18f495a3102dcd7e331cc812b86cc618c11001

SHA512
a8f8963906bcbf5270154e6c8f79460b57bd46c93eee89a7159e050751973ebbc29266ecb59e845cc43c5cf8809b0960cc2dc574400d0b97951910072ac56bdc

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a8a5648c965e7cc33834649945b0ada1

SHA1
6832ac6ca58fb0df0e62d468f05f40384ed2e6cc

SHA256
b77418da3c992bb912c45edc099401e016cd0b0e4037cec3558d663cc8562619

SHA512
a51bf34b6bee544d0034bfedc41336da54c3f6c90bdab8cd6b637b00932b6863e1adb59556a5a8464c567176f8fc1c7c1d354492ce7d971def793d7f7e8b553d

Download Submit