wannacry | a91088e535cd46cede4684b5b01ab44ae587896515d46f561678e408ff190053

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll
Size

5.0MB
MD5

5621542b257455bf2ba19d23dfdf6bd3
SHA1

ea4919722b8be96a8a47912e1201a8489db1c785
SHA256

a91088e535cd46cede4684b5b01ab44ae587896515d46f561678e408ff190053
SHA512

db392c351a1c263dd74d021f33a1b1dca503a449fd156dcf4ea0460545e85573f7c39023f23235b2ee6e2396213b0a15122c1ec95eb2fc58fe098b350688a01f
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9g3R8yAVp2H:+DqPe1Cxcxk3ZAEUaQR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1020 mssecsvc.exe
1060 mssecsvc.exe
928 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1020	mssecsvc.exe
1060	mssecsvc.exe
928	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2972 wrote to memory of 1948	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 1948	2972	rundll32.exe	rundll32.exe
PID 2972 wrote to memory of 1948	2972	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1020	1948	rundll32.exe	mssecsvc.exe
PID 1948 wrote to memory of 1020	1948	rundll32.exe	mssecsvc.exe
PID 1948 wrote to memory of 1020	1948	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1948

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1020

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:928

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
6551c8a27eec3b118704d99bc892daec

SHA1
c8ed819ac33e1e575f56711bb1991c191fa683fa

SHA256
f047d312431343223d175ce6ac990704726f5995febc3a4a62f716f8dc4ed016

SHA512
aa3d151b43a477057ffeb0c38ebd9c959e97769dabb5ac7a81485da4f3a8bae0d79ab174bc42314a629a101f07bb812630421236a804136ee08ba77bfb784894

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a1b0a61927bb5a5a0386fad639db7ff8

SHA1
a6c328d2096e9e0832f6eb1029a0e432c373f3bf

SHA256
74abc3f0879a0234bbddb17b84839c5a8d993bdd04a21ac5c6ffd2f035a07c7e

SHA512
843ffb4403e53a9476f065bfa22fff023cf06a61bae76606f993f38755e12dd9d989fb38f0b1ea2cfec352e59a02a28332ad1bacc56e819dd7eb688a42c30d85

Download Submit