wannacry | 12e61c8774c298f8a17f5502dc7184aeeb9f84eeb5f7ba803299f77d84584695

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c65abc6e309da7730393bc847b4797b_JaffaCakes118.dll
Size

5.0MB
MD5

5c65abc6e309da7730393bc847b4797b
SHA1

75127e277e373b92bef7fc34ba0436cbb06a2af0
SHA256

12e61c8774c298f8a17f5502dc7184aeeb9f84eeb5f7ba803299f77d84584695
SHA512

c5623d1f7dcff422d8f702e16df182dab315f32f879cd687de30fac92c62ae7e78f3cbe0c0306ec5284b0a07a28af60e8d0629c730b46f43ed4722a4fb910147
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgecG/D8kIqRYoAdNL:SnAQqMSPbcB2/1IN

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4804 mssecsvc.exe
3912 mssecsvc.exe
4800 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4804	mssecsvc.exe
3912	mssecsvc.exe
4800	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1004 wrote to memory of 1412	1004	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 1412	1004	rundll32.exe	rundll32.exe
PID 1004 wrote to memory of 1412	1004	rundll32.exe	rundll32.exe
PID 1412 wrote to memory of 4804	1412	rundll32.exe	mssecsvc.exe
PID 1412 wrote to memory of 4804	1412	rundll32.exe	mssecsvc.exe
PID 1412 wrote to memory of 4804	1412	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c65abc6e309da7730393bc847b4797b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c65abc6e309da7730393bc847b4797b_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4804

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4800

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
3d6116262cc235e33c3a42a4391ce7e1

SHA1
3bb976aff543eb500bcde537a5b6444340855228

SHA256
761467d1f1a0273861a06a33b7c2c0ebbd1e820b61ab0a1f55540b28f4c12fc2

SHA512
95ee7d2bb9294f8560a530eced914c47e08e709c6767ecb589da3f8237a62c68f4799ab255bd84dfd765fd09c70de0e8126f45a7314e6f81e60a341f0b9d14b7

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
fec4c55a8804f26e8c1abf2439074b53

SHA1
68359521247765c8697b0fabcd46fe3c4802560e

SHA256
997dde43fc9f36af7eb16a17aa8b57aad351d90bb110b8de9b2640136f9ac364

SHA512
a948ff3f87bbeadc8f1e1239617c811bb2b0fcabc4530fecea7797bd9cd7947c5ad80d4ada29cf818a4208c06fb4086494fadf2baadf23c38b0dbe7e97c084c5

Download Submit