wannacry | 340a987284bda2834a8e85be466250f5dbdf43a211049d1c6e27da52cb5fd060

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff7ab7be09dbf4fdcd86c1fdda6382a_JaffaCakes118.dll
Size

5.0MB
MD5

4ff7ab7be09dbf4fdcd86c1fdda6382a
SHA1

ed94e456f899ab6d41a688c2738d7290c81ae66b
SHA256

340a987284bda2834a8e85be466250f5dbdf43a211049d1c6e27da52cb5fd060
SHA512

6d7cc8f4864f5d6a9aa73fc2763b2c516879d5b9d6b8a3a3a4872431fd5e12ec9960300514a43bedbac6461a5267f6abb5e4134f69423e50e9ed263ce31466e3
SSDEEP

98304:TDqPoBhzO6SAEdhvxWa9P593R8yAVp2H:TDqPeOZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1492 mssecsvc.exe
3156 mssecsvc.exe
4792 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1492	mssecsvc.exe
3156	mssecsvc.exe
4792	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4788 wrote to memory of 1804	4788	rundll32.exe	rundll32.exe
PID 4788 wrote to memory of 1804	4788	rundll32.exe	rundll32.exe
PID 4788 wrote to memory of 1804	4788	rundll32.exe	rundll32.exe
PID 1804 wrote to memory of 1492	1804	rundll32.exe	mssecsvc.exe
PID 1804 wrote to memory of 1492	1804	rundll32.exe	mssecsvc.exe
PID 1804 wrote to memory of 1492	1804	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ff7ab7be09dbf4fdcd86c1fdda6382a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ff7ab7be09dbf4fdcd86c1fdda6382a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1804

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1492

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4792

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
f2e10b7be910f87cfa606ba558de5de9

SHA1
08fb514c5424885066eb2e6fe29cff519c0dce60

SHA256
1393348a379ba011187bd74ad9bcc832f55dea12bc37ebb72dccfd62fbe7d0d5

SHA512
81bd12304db884d017f330fa7e7632d574219c37ae2285002f5f000b8cb4aec878872a5e8130e955afb87b091befb4cd72ed3abe4a96c9c3036263e458d5a695

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
31c8ce6f27374a29e3bd70843543059d

SHA1
e1fd324418452d3a2b28f6756d2c52cbf8ab2c4b

SHA256
a257fb2f667c1274f1540a8f746d2501b249ac233cfabf63eb85dbd592282c2c

SHA512
372a5a66a601c3583f9183c706383736482baaf13d012bc2f03c8f34597d6cc1a1cbad53906071375f0fa3e722c5eb7bcbef78f6cb968b31da92d4cdd46a1468

Download Submit