wannacry | 67569caf493d1e49e6f3fbaf46668b2940b025331ed00d0b689d409b56f2ac98

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

903e95f34e0f022737eb9d04651aaa4a_JaffaCakes118.dll
Size

5.0MB
MD5

903e95f34e0f022737eb9d04651aaa4a
SHA1

26d5a4529616fc29ffdd0e627481e787d3632afa
SHA256

67569caf493d1e49e6f3fbaf46668b2940b025331ed00d0b689d409b56f2ac98
SHA512

534282df7ea6d2af273186e7c445cd6e9ea53b7505b5f99c0455655b02c93de285219be9751a950d13009262470925bd363fc9b2f074b085be0893c7f0fed8f8
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5I2H:+DqPe1Cxcxk3ZAEUadRH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3452 mssecsvc.exe
736 mssecsvc.exe
2132 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3452	mssecsvc.exe
736	mssecsvc.exe
2132	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1588 wrote to memory of 1976	1588	rundll32.exe	rundll32.exe
PID 1588 wrote to memory of 1976	1588	rundll32.exe	rundll32.exe
PID 1588 wrote to memory of 1976	1588	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 3452	1976	rundll32.exe	mssecsvc.exe
PID 1976 wrote to memory of 3452	1976	rundll32.exe	mssecsvc.exe
PID 1976 wrote to memory of 3452	1976	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\903e95f34e0f022737eb9d04651aaa4a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\903e95f34e0f022737eb9d04651aaa4a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3452

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2132

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
62c9751dad73d0fbd7734a9089931bb0

SHA1
1596e8a0a7aa1a5df5189710e10e5438ea543bb6

SHA256
4445e6641c8c492cdb9d1163e74c53239bf924cecf6de75942f1e36398d359d7

SHA512
0d8d66e47603c8c21a726379d4da2d04ea829a0b9a3fc1409f82d2dd3ce3f62142466c7536095b467c8f817b70da3c7c8720c46a138009cf5503e4a7211a2a3e

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
345fff8cd452f7c9d1b2e18b3b44b802

SHA1
4a19d578b8aeeb6701c522960f66a988d35813b7

SHA256
db6fde5bd5763ecefa75f537f20769dfc8d6c509dc984914b78710d6318e084c

SHA512
56fd989ac05304b809c573fad1ad79ce091f864e2560ffcfd2656e534c17b214082d6aeb5a25a408e7066ad724e96ee5a526eee79b391aa3a8b83c72ea605d52

Download Submit