wannacry | 99943e6c8ba298f43cd8f225f4df4cf625e622ba789e2b60eb3e41ebda62da41

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d0eeb02dd0ca1c97f389b9751151bb1_JaffaCakes118.dll
Size

5.0MB
MD5

4d0eeb02dd0ca1c97f389b9751151bb1
SHA1

65e9bb056cc6d5418dbf99526c51303a655c4221
SHA256

99943e6c8ba298f43cd8f225f4df4cf625e622ba789e2b60eb3e41ebda62da41
SHA512

0a21b89937e00526434b9984896020001b4a107d09abbf64e6d051dd1d7290ec558f5e9c43b27afcabf5faca6324e5ff313aa897ead790d755ce5dd5e8d650a1
SSDEEP

98304:+DqPoBhc1aRxcSUDk36SAEdhvxWa9P5uR8yAVp2H:+DqP11Cxcxk3ZAEUadgR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3868 mssecsvc.exe
2876 mssecsvc.exe
2580 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
3868	mssecsvc.exe
2876	mssecsvc.exe
2580	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5008 wrote to memory of 1580	5008	rundll32.exe	rundll32.exe
PID 5008 wrote to memory of 1580	5008	rundll32.exe	rundll32.exe
PID 5008 wrote to memory of 1580	5008	rundll32.exe	rundll32.exe
PID 1580 wrote to memory of 3868	1580	rundll32.exe	mssecsvc.exe
PID 1580 wrote to memory of 3868	1580	rundll32.exe	mssecsvc.exe
PID 1580 wrote to memory of 3868	1580	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d0eeb02dd0ca1c97f389b9751151bb1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d0eeb02dd0ca1c97f389b9751151bb1_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1580

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3868

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2580

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
6b7c6f571549d756df917ef794a66206

SHA1
492835ffd3c6121c08dc0f39d14aeb3471d395fd

SHA256
1f75c704d6c13e20d7039dfd9131d46f782d1cbc3b9e5a6f5859aabb1e16f88b

SHA512
0a441b7ea0c4d6545633eae778ec6105b013bfe3ff6c79ec31b8d86fb9beeb7ba0a1966654eda60f9b0eae941855dd62d2d9ca0d2381f0e108ec95d564244fde

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a1711585b1f312b8a3c5ef2a53b0e277

SHA1
f7701547f476c768eaac249b14af289e7c3a0bc2

SHA256
09fee0426f29d1f2f50559571300024eab0348af47896ad392c2e0400296479a

SHA512
2f22a18b89803c76dba16d1ec4caa6c356969ba345d4556c1b77b7ee53a10e1b5e8610eb57cdf094922f66f931136dd25f5e60d5dd058ecbe166ffbf32fc3792

Download Submit