wannacry | e82c1e6faa4031163ac5859fa08f1950fd6c9d54f600bd589447b03017de8492

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a300f7511bc43a6aab995f038f7a823_JaffaCakes118.dll
Size

5.0MB
MD5

6a300f7511bc43a6aab995f038f7a823
SHA1

b019d883a036fa07443bedce3370765817c9b0d3
SHA256

e82c1e6faa4031163ac5859fa08f1950fd6c9d54f600bd589447b03017de8492
SHA512

f0315ab0dc75b0e89af526e811a4addd8d9d515d713ebb66954720f320499290bc490b3e954985882c3268c0843031b1f820a74fe10130e1df10d7a4ee02d894
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9P:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1572 mssecsvc.exe
2232 mssecsvc.exe
1804 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1572	mssecsvc.exe
2232	mssecsvc.exe
1804	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3944 wrote to memory of 388	3944	rundll32.exe	rundll32.exe
PID 3944 wrote to memory of 388	3944	rundll32.exe	rundll32.exe
PID 3944 wrote to memory of 388	3944	rundll32.exe	rundll32.exe
PID 388 wrote to memory of 1572	388	rundll32.exe	mssecsvc.exe
PID 388 wrote to memory of 1572	388	rundll32.exe	mssecsvc.exe
PID 388 wrote to memory of 1572	388	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a300f7511bc43a6aab995f038f7a823_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a300f7511bc43a6aab995f038f7a823_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:388

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1572

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1804

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
63b59275de88afa772427f77601b2ad3

SHA1
98a73f0253aeec76180f14d8a7947bcd17f47189

SHA256
c904ee55ed12e44e6eee61d4d0a052b66c610892a328c14b3a3b5001553b6545

SHA512
83014d827b59641dcc7910c2d63730c194a7345d55843bcd987b39e79ab894433f71bb86c493d20f85c7909bd7a9204e9443f2a282d7889179b474d93642db81

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
44fd2345869884ef62ef1b66796f7ba9

SHA1
919fc5058ca61ab4595cf08413f9aa561b8e233d

SHA256
189936f9262dc8b9284f3c8aee23f106dbffa908609a483d758aa73c57203306

SHA512
b5b23dc4016f61d37aab61b8bad6b15108af6b161830ba03557c6d3c0b4ebe076f92f5dd2f7e4376b9e169d25d88d4e4fb5b42db44db786fc3469a7cdc2559b1

Download Submit