wannacry | a4ddeb368c41e168b4bdff4b3780ab0714901414831612e14a3b61e4946efdc1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bfff6a4e56407a80e4c4cddcf211656_JaffaCakes118.dll
Size

5.0MB
MD5

6bfff6a4e56407a80e4c4cddcf211656
SHA1

a4e5d4ac5cf090958ebfde098e60e83a698ffb0d
SHA256

a4ddeb368c41e168b4bdff4b3780ab0714901414831612e14a3b61e4946efdc1
SHA512

181cb5db756a00adbf04ea0e9f80a5e0e6069f27c52a484106dfd2813656ee4a02a8a8f3a11be1029bbc0d98e7ffcb18cade4ee3c2645aa2cb0136d7b6ac176b
SSDEEP

98304:TDqmSUDk36SAEdhvxWa9P593R8yAVp2H:TDqmxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3306) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3416 mssecsvc.exe
2096 mssecsvc.exe
1324 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3416	mssecsvc.exe
2096	mssecsvc.exe
1324	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 936 wrote to memory of 2424	936	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 2424	936	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 2424	936	rundll32.exe	rundll32.exe
PID 2424 wrote to memory of 3416	2424	rundll32.exe	mssecsvc.exe
PID 2424 wrote to memory of 3416	2424	rundll32.exe	mssecsvc.exe
PID 2424 wrote to memory of 3416	2424	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bfff6a4e56407a80e4c4cddcf211656_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bfff6a4e56407a80e4c4cddcf211656_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2424

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3416

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1324

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
cf41fcbc785c71e684f656b1b150a441

SHA1
286ef2c9adc3ff4e7b29a35cd049dad0dedeeb14

SHA256
378c55de31c93d3bdc1c9676f6c25ce388b553fa3254d04ba106eeba7b7c868e

SHA512
db1a6522af7975e4e31b6d525fc69ce9019a6e64788852bdc760a47dc2ef065717198ec6ae619bc8625b29cf0b9ad157c899cd86a60f66488831a09e1534a619

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
471388c9757c47e3ebbb868d2799516b

SHA1
5bb81eefc7ca24fe57f2e62b1006ca85840e1862

SHA256
f5b1f32486a9c53d63d7a43f2e0742fcb7426036bf4f729a82e7e9922ac0a4b3

SHA512
bef3ef94f2cdff254ca530740272095b4c6cfd628953c1deda8d6b0cfb8cd423176e510ff8fcd66b21599211258f31921ccd67bc768ae9feadcf2d27774f347a

Download Submit