wannacry | 253d832ea20c6faee0825c1926b2412686c83f9f1521a7817bd91df1ae0208e6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63a991006af2616ad323958bbd347c90_JaffaCakes118.dll
Size

5.0MB
MD5

63a991006af2616ad323958bbd347c90
SHA1

cc0d90b22aa8053ea9e132889bca45e43ca900ac
SHA256

253d832ea20c6faee0825c1926b2412686c83f9f1521a7817bd91df1ae0208e6
SHA512

ac5abaf38c705713051debaf9f0133ee26eb53aff619e9a747d916b4861abf254a0cacd45b76207053e5fd849127716526779b856b4507102dfd63b819bf2144
SSDEEP

49152:SnAQqMSPbcBV3GGafYzflm+fZTFZIGayscOqd2vC0+KtARUbfMpr7WvCS:+DqPoBQ+iUP0e9y0lWCS

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3214) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3796 mssecsvc.exe
4816 mssecsvc.exe
4216 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3796	mssecsvc.exe
4816	mssecsvc.exe
4216	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4880 wrote to memory of 3364	4880	rundll32.exe	rundll32.exe
PID 4880 wrote to memory of 3364	4880	rundll32.exe	rundll32.exe
PID 4880 wrote to memory of 3364	4880	rundll32.exe	rundll32.exe
PID 3364 wrote to memory of 3796	3364	rundll32.exe	mssecsvc.exe
PID 3364 wrote to memory of 3796	3364	rundll32.exe	mssecsvc.exe
PID 3364 wrote to memory of 3796	3364	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63a991006af2616ad323958bbd347c90_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63a991006af2616ad323958bbd347c90_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3364

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3796

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4216

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e3470119fcdc427ded9b855266f82519

SHA1
39e9310121959419626d3b22006b0376d78cdd32

SHA256
ced86f4c57c78f324255ff9a9155bee14666c8071c0ffa3259f2758bbd90887a

SHA512
dceec1e2396caca65cebe9bc4012d70bde61c3e499056dae3ab383c0345d3875cb607b9532ce078bae3c8658cb69861bd7d3627ad393ad22e85431e8335881c4

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
01916ac258df00f20ba378fc16171988

SHA1
98b55baf8f888c32dff7243d8aa101b55b95935c

SHA256
c05c1eb1a71ad332cb0c3121f66626408770489589510eec49f804167df44508

SHA512
daed04dce12a91bc362a524df194fdb01c5a753b0580950f5eefd1575b94aed6c73a8ddc421a41eb78e99d82d528b62d16b561b353ca9e24a284c38af6d2fa71

Download Submit