wannacry | aaca8da1381a405c9b2f153fcdfc9f0fcfc0b056ee7207e66e09730ddfe0c502

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d5164e216157518f63b05e5daf56553_JaffaCakes118.dll
Size

5.0MB
MD5

8d5164e216157518f63b05e5daf56553
SHA1

77369b1c0694db1b5a162d95b2aa4b86eaf36470
SHA256

aaca8da1381a405c9b2f153fcdfc9f0fcfc0b056ee7207e66e09730ddfe0c502
SHA512

cdfb806677cd6b4f938e6e919533f945d9a40acb38cf50315b8b9692fefcf75072cdb57376aed5c67fc46a2fa969c2ce3c32091659d05866a76c7a3b42475022
SSDEEP

98304:TDqPoBhzLcSUDk36SAEdhvxWa9U8yAVp2H:TDqPeLcxk3ZAEUay8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3303) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3016 mssecsvc.exe
4044 mssecsvc.exe
4008 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3016	mssecsvc.exe
4044	mssecsvc.exe
4008	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2008 wrote to memory of 1060	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1060	2008	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1060	2008	rundll32.exe	rundll32.exe
PID 1060 wrote to memory of 3016	1060	rundll32.exe	mssecsvc.exe
PID 1060 wrote to memory of 3016	1060	rundll32.exe	mssecsvc.exe
PID 1060 wrote to memory of 3016	1060	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d5164e216157518f63b05e5daf56553_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d5164e216157518f63b05e5daf56553_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1060

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3016

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4008

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
feb55321c4b985717fb7a480fc858899

SHA1
8370f03467d71b178b9cd61fab27f7d3703fa49b

SHA256
55a2051ada65fb43f34d5049073e9c858cee15dd9f4ca11dfcc84008076963e9

SHA512
d9cf50597b51d84bd0d2503da7224ebd1f6f6dbf645b210da2e3ae7052b6fd86ca4a06a9a7be5d641803e8e9ae2192d89e3d4024afd57bdce3facba47b72a7b9

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
1326c883dcd7802b6f2a18b183071a27

SHA1
6508773bf1f6d363500f02e47d51d49a41efeb86

SHA256
3082a0f906cbbc030609b7612f958401937f790df1ec203f67a3c446638e9423

SHA512
39c1ea57e601110bb43070e3809206b3bca1d3acb3cccf1db876bdba497b10c96153f0832486880745deecc54e5e6811d2aceb6810e347156aba57f9da83ab0c

Download Submit