wannacry | 5797d247bfb6e387b7b61cc0c6c668c56fd85b76140e3992a534f2e2bea219aa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83af5088ba3db6b1d105e14ca84d69d5_JaffaCakes118.dll
Size

5.0MB
MD5

83af5088ba3db6b1d105e14ca84d69d5
SHA1

0a62814dffd3985cd0de23cff1376dad2d935726
SHA256

5797d247bfb6e387b7b61cc0c6c668c56fd85b76140e3992a534f2e2bea219aa
SHA512

9db1fbbb56c99b96c3bac03ae3b7252af6485ee51ae7b48aec85820d569dc25632e00fd357d4787c1fed195dffb312362d8a7f78cfa4d55b7c7562e214bcc214
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAaU+3az6Om3MetDZnh:+DqPe1Cxcxk3ZAaUhIF

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3213) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

992 mssecsvc.exe
4620 mssecsvc.exe
2812 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
992	mssecsvc.exe
4620	mssecsvc.exe
2812	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4572 wrote to memory of 3764	4572	rundll32.exe	rundll32.exe
PID 4572 wrote to memory of 3764	4572	rundll32.exe	rundll32.exe
PID 4572 wrote to memory of 3764	4572	rundll32.exe	rundll32.exe
PID 3764 wrote to memory of 992	3764	rundll32.exe	mssecsvc.exe
PID 3764 wrote to memory of 992	3764	rundll32.exe	mssecsvc.exe
PID 3764 wrote to memory of 992	3764	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\83af5088ba3db6b1d105e14ca84d69d5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\83af5088ba3db6b1d105e14ca84d69d5_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3764

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:992

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2812

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
c17631e97b274702a6d4cce77706bdb9

SHA1
1529c341f49a7514605bdd26ae14a447f515f591

SHA256
2cf47fb7bea77112a89b936121bfa1d173623157ce12c881ef7a434207a37a5e

SHA512
a7ac53722fe3d4a968705e8b9f7b232a6da8fcb1bbf7e78fa4295c4230ca65ba7e3d5c10cd9cd74ea069ba71d23a1aa80e5e626a18f39465774c7bb52193faa3

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3c4086a046d89768b314d5a6d98ae850

SHA1
2e757bb097211b200e070c96d2e57f8a2eeef800

SHA256
4992bb166940c9b7f7183ea360c382688d43ffaa7ce8d6a4f76d0fe38a41a8b7

SHA512
92c1e43901824b896c4cd7367a72a07adfcf120f3e9274166730646ee838e38371027516262406a8a3d57fbd2942fa3622f847dcc21b8106b7c849866558daf7

Download Submit