wannacry | 711f13e735fe74a3c8521f02451ce86a716961bbe21dbf78dba14acb31d6741c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

927bad2fc8fd2801ca6603b230a86281_JaffaCakes118.dll
Size

5.0MB
MD5

927bad2fc8fd2801ca6603b230a86281
SHA1

cacfee040cd0155d3fdf5bac151c567a267f82cd
SHA256

711f13e735fe74a3c8521f02451ce86a716961bbe21dbf78dba14acb31d6741c
SHA512

4db14f8a0c740e98edc51457185fbe356319b4fcf25983bd91f4a3e341b0a0d74f4f76489e0fae1efe53db402fa8ee9d382e1e2000c4e73ba780b6b388b61830
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAExWa9P5MyAVp2H:TDqPe1Cxcxk3ZAHadmyc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3284) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1156 mssecsvc.exe
4932 mssecsvc.exe
3028 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
1156	mssecsvc.exe
4932	mssecsvc.exe
3028	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2420 wrote to memory of 4292	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 4292	2420	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 4292	2420	rundll32.exe	rundll32.exe
PID 4292 wrote to memory of 1156	4292	rundll32.exe	mssecsvc.exe
PID 4292 wrote to memory of 1156	4292	rundll32.exe	mssecsvc.exe
PID 4292 wrote to memory of 1156	4292	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\927bad2fc8fd2801ca6603b230a86281_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\927bad2fc8fd2801ca6603b230a86281_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4292

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1156

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3028

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a803185f2b5b6b80f3b900282c0afb83

SHA1
0e17fa43d8b26de1fe53211997a6657abf322b52

SHA256
deeb5c7aae4f9ee8e177e5511d014c73736a75b63c533d4b101e9a3f317928c6

SHA512
e405609cc407703dc9281964f12cb79cb1f00414bae7e1827de67f713a86234dab2e4984a40326e8de3fdf318741f7e886d44b0e0f111269c67b8306e9935328

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
82464f8af9d7b5a6da8c417989b1ec3b

SHA1
9902bdbbe6bf9b02714fe90a67a71d7bc1c0c058

SHA256
3bb14ace48b4c220a65b55dccaae9a497e6e4d81669a65aa168d712a8333d69a

SHA512
a8ef48b20ad211948ca76c9273cd45f5c5af701d7a53bb1ccfe3903b81c6ed2ebc2a89d115ea33b6b9a6ce3d5c143a3c7452f3fe850c071ec6c13399bcdc1c80

Download Submit