wannacry | 6f73d23dc235b9255b394a96f5d01e4d0040b72b1b727d459885a1d92e6b5235

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll
Size

5.0MB
MD5

93da20793dcecca1f9cbccd3b3de8ba1
SHA1

606b2f5cfd4296762de9b767342df97412fb7cf4
SHA256

6f73d23dc235b9255b394a96f5d01e4d0040b72b1b727d459885a1d92e6b5235
SHA512

87a729c025efdf011464256068ad253b6cfecf8d75e94512cf29d4bfb95b8f6068cf64fe48aced6ac01bf08a734f9765789470d5e57207354dcd85a6a5e8bd55
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:+DqPoBhz1aRxcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4572 mssecsvc.exe
3812 mssecsvc.exe
1412 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4572	mssecsvc.exe
3812	mssecsvc.exe
1412	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2776 wrote to memory of 4632	2776	rundll32.exe	rundll32.exe
PID 2776 wrote to memory of 4632	2776	rundll32.exe	rundll32.exe
PID 2776 wrote to memory of 4632	2776	rundll32.exe	rundll32.exe
PID 4632 wrote to memory of 4572	4632	rundll32.exe	mssecsvc.exe
PID 4632 wrote to memory of 4572	4632	rundll32.exe	mssecsvc.exe
PID 4632 wrote to memory of 4572	4632	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4632

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4572

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
146997f5831cf6362171888ce06e795f

SHA1
013161b55f6825a53424b56baba5503da124ec9c

SHA256
4ba2c444ec2dc1e7c67be46d6bf1d7eb83a826e4524709d22f6551ea83f4b951

SHA512
45064461a8ff356a4d8cf4591e56d263e1cae0198a1268dd71418ebf653814b36572f9440c62a3a64b124a64b12794b71a0d414f9174f5a530c2cd457b5ea648

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
3c3f38487305188cc58893126b7492ba

SHA1
fc9ac88842e4dde20e1134279773ee8885f0c185

SHA256
95e451949bfe0fec72d454467e3c136cb4cf44de759cb7537ade03736447b219

SHA512
274b654c15faf63bcfd368ad4f26c7812c8f7a0b42de492f6ee23c4f996292367dec6496c87d408d5f753d96d18f9e6f3af3f2cc0163c9636a7ca259aa2d8e3b

Download Submit