wannacry | b56875f63d7bfadf7825c8f6de6197a06656519e2ffa703e306b915ec708c68d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a521617966ff829f447bb73a759cfd6_JaffaCakes118.dll
Size

5.0MB
MD5

8a521617966ff829f447bb73a759cfd6
SHA1

14dbe42fbbd2cbaa27a32d81afac6f1af1ec2d9f
SHA256

b56875f63d7bfadf7825c8f6de6197a06656519e2ffa703e306b915ec708c68d
SHA512

878973f74a241a7986b5ecf8607dc1edfc62334b9b460c60af6f2bfc785e7296cf2f48b1163e759df073fe28dda6b3ccba8ba5de5f03138ed5a7215720d90bf4
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8QAVp2H:TDqPe1Cxcxk3ZAEUadzR8Qc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3269) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2188 mssecsvc.exe
4048 mssecsvc.exe
412 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2188	mssecsvc.exe
4048	mssecsvc.exe
412	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4664 wrote to memory of 4092	4664	rundll32.exe	rundll32.exe
PID 4664 wrote to memory of 4092	4664	rundll32.exe	rundll32.exe
PID 4664 wrote to memory of 4092	4664	rundll32.exe	rundll32.exe
PID 4092 wrote to memory of 2188	4092	rundll32.exe	mssecsvc.exe
PID 4092 wrote to memory of 2188	4092	rundll32.exe	mssecsvc.exe
PID 4092 wrote to memory of 2188	4092	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a521617966ff829f447bb73a759cfd6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a521617966ff829f447bb73a759cfd6_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4092

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2188

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
c35e086a9a9e6ffdc5cd63b7bf8291c9

SHA1
54ec0e5491bf367499788088b27e6a877be629d7

SHA256
9c84fd6233ede813ce56fed56a0cdcc7b7bbeba91001fa1f610e18130277caf6

SHA512
8f271a8bebe83a0920289cd8bfcf2c29a7d483118e33d313fb757ee87c93bd643891ad7d644b352c4c120b9d0fb9a8a76113ced8cda4882438275be016954042

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
5afef1a53b0b53dffd2a9a4fbcb2742a

SHA1
8bb82a1daf59c2bd04caa86c07c6abf1b200fb0c

SHA256
81b02ffe5a201bde59987e7ec42525cac74c4d0f57a65bc7b15d153864b30272

SHA512
a6f2fcf8cb77022288970d75a50a8ac57ac000a07499dd63b38e1edae9aacebf8bdf6ecb0abfc16f974f75b984c40c2708ff668543c797a2c3bd5beffa98a424

Download Submit