wannacry | 5ca8b9ac8b109abd234db6368154665e437049bfdc992c3c80618927a85480e9

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll
Size

5.0MB
MD5

8c71fa95241242f37fbb5aacc7bb8b1d
SHA1

ef18845b9b8f0c4ff4d2a3c784651443ba120ab3
SHA256

5ca8b9ac8b109abd234db6368154665e437049bfdc992c3c80618927a85480e9
SHA512

36d34ad3df52cc3911112d5be248d264a204a1b8c01427e98d8d2f698347c5bdc63e1efad1a86a9108bf280762260bcc09542a6093efdbf339b38c467227c754
SSDEEP

24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kI29PO6lt/8uME71NZtA0p+9XEk:znAQqMSPbcBVQej/N9R3RhlAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3339) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3968 mssecsvc.exe
2020 mssecsvc.exe
1684 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3968	mssecsvc.exe
2020	mssecsvc.exe
1684	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1164 wrote to memory of 4268	1164	rundll32.exe	rundll32.exe
PID 1164 wrote to memory of 4268	1164	rundll32.exe	rundll32.exe
PID 1164 wrote to memory of 4268	1164	rundll32.exe	rundll32.exe
PID 4268 wrote to memory of 3968	4268	rundll32.exe	mssecsvc.exe
PID 4268 wrote to memory of 3968	4268	rundll32.exe	mssecsvc.exe
PID 4268 wrote to memory of 3968	4268	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4268

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3968

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1684

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
36d3544fcb2a73f026f9ce0b547a390d

SHA1
e96e17e80b062e08f15a61ad5039942139b880f2

SHA256
386e6d2538a6b4d045904bee628f391cd9a26c9fbf781cf454aa50bcb5dd8aa7

SHA512
9818d0edd1cf4c3bc49435aab7af6ec5573051b04d9ee88591bfecb8afbb8e02c134c49611fe9ae9b70e3ddc2bd35652ad5cab34085a19a0eb3f231df6b9cbd9

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
2e9c41c8c4c8c4862b4bd67341e07f86

SHA1
f3c7993c7602a2a8fa8ecc44550a04ad32db7bbf

SHA256
7f4a7782d398f0aa0be22a622aba1522abfd1892461fd7c07c4e3ab41abe5103

SHA512
2af90a8d8794bd9d923aab8d8948493065a71db4dc51c6ddedc7ed751f85ed7e2134e0f782ef54a96cb9f34fd766b1db214c1695cae75aeba88d92ac02ea53cd

Download Submit