wannacry | 3659bd29104688f4aec05ecad294db34429e49096983768873038dc7fdbcc494

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

561aaa59b84a7fd7c8436b5d47fda319_JaffaCakes118.dll
Size

5.0MB
MD5

561aaa59b84a7fd7c8436b5d47fda319
SHA1

f4e1395cc7a3a6a6e98d51dba66560cec46b7f7d
SHA256

3659bd29104688f4aec05ecad294db34429e49096983768873038dc7fdbcc494
SHA512

2d415664e27883d524da987d12c26ef0d632a159c19b3e7182f4dac00e28921a4c523bff04bee0f95fa796948a91d9be6d35e650af27edfa2a8decda619b0995
SSDEEP

98304:dDqPoBhQ1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:dDqPR1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3188 mssecsvc.exe
2364 mssecsvc.exe
2616 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
3188	mssecsvc.exe
2364	mssecsvc.exe
2616	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4012 wrote to memory of 3692	4012	rundll32.exe	rundll32.exe
PID 4012 wrote to memory of 3692	4012	rundll32.exe	rundll32.exe
PID 4012 wrote to memory of 3692	4012	rundll32.exe	rundll32.exe
PID 3692 wrote to memory of 3188	3692	rundll32.exe	mssecsvc.exe
PID 3692 wrote to memory of 3188	3692	rundll32.exe	mssecsvc.exe
PID 3692 wrote to memory of 3188	3692	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\561aaa59b84a7fd7c8436b5d47fda319_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\561aaa59b84a7fd7c8436b5d47fda319_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3692

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3188

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2616

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
6fe9d6dc8367939853e0bf1545a2e637

SHA1
23f8eb0797363c701ad5c1dc7949c42c66783df0

SHA256
136ef00a4156fbf83c12ff4dfd82048a9a7421a50ba21df8e7800b673eff2830

SHA512
8e0606762627dda67752f0026cb85c9162151e93e466b8b21329555efcfdbe9585811c798bdd178e27eb4a65c7ee6b1957b1cfe0b02fd58d204e81c352617a14

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
bd03cac11efac30c49fdc99a8816a5cf

SHA1
755071b384aaa353b8b9b28560b39627ce746b3c

SHA256
d0a22bce8b7ccfb3401e4ee705d7100c6f584582b8b1b0054ad987f0dc09e622

SHA512
16d5aa1232286d0c3416215046579ad8ee6db726175dfeec1c60043ceba4da21608c5ccb00b5c829a57176f755523f2073394b32deba5918029fe13aab7999a8

Download Submit