wannacry | 9d145e0217a2d39188d0884dec679b1a0c2e0c85751fe0e5194ae6be5e23291b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27a4c11b4bdb7c601424cfe63a76f2bb_JaffaCakes118.dll
Size

5.0MB
MD5

27a4c11b4bdb7c601424cfe63a76f2bb
SHA1

b50ae9cec5191a5454fa7c4ab723c70b7b727556
SHA256

9d145e0217a2d39188d0884dec679b1a0c2e0c85751fe0e5194ae6be5e23291b
SHA512

b234a2a467f6bb6e0c5de9512c7c83141f2ec1cce3b20f769e2cd230f70ff416e8499a5e6509ec49503bec4731aa3f96c4d70ec13d5312b476cefd7854d75966
SSDEEP

98304:+DqPoB91aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPy1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3354) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4400 mssecsvc.exe
1028 mssecsvc.exe
4792 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4400	mssecsvc.exe
1028	mssecsvc.exe
4792	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1184 wrote to memory of 776	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 776	1184	rundll32.exe	rundll32.exe
PID 1184 wrote to memory of 776	1184	rundll32.exe	rundll32.exe
PID 776 wrote to memory of 4400	776	rundll32.exe	mssecsvc.exe
PID 776 wrote to memory of 4400	776	rundll32.exe	mssecsvc.exe
PID 776 wrote to memory of 4400	776	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27a4c11b4bdb7c601424cfe63a76f2bb_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27a4c11b4bdb7c601424cfe63a76f2bb_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:776

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4400

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4792

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
c778de6016dc32c98b8c3e8713507cf1

SHA1
f47254a3059d76465ba654ad59aab143bc0ee11e

SHA256
6a5e4cd221c35df843baff1e2bb548ef81de039ed2e297efc38ca0e212766d50

SHA512
6052da4475eb93a091e0a1812ca3a7f7725f8b08210282df1e085824035579a2551f686419c422bf369ddae6d79185f84a122f4e61fde864caa16e0b124d4ec6

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b6db0a4dbb0faac78693c54dbf1a1f4d

SHA1
6c733b2ded252595fa78a26c03da68160604cee7

SHA256
3fd69e6c6754457efba909399fee1f566b0bd1caf3aa62f63772772818ce720e

SHA512
f30f278cc7f33d348f24cefc08f2aed93f85c5987ee76820a8cd8e6dac30bccf46bcf474e7aa2323bb509ca10d1eb5d58c2cb0fba0cadf9992d4846311e05e96

Download Submit