wannacry | 834c8f099daf9f1c6ea4616b177f915d135e67f3cabca02a468da9194ca0b746

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

957c02405029f88cf233b2b75c476d00_JaffaCakes118.dll
Size

5.0MB
MD5

957c02405029f88cf233b2b75c476d00
SHA1

793a4225e49d00815e3112f4d86a8650e5c5af55
SHA256

834c8f099daf9f1c6ea4616b177f915d135e67f3cabca02a468da9194ca0b746
SHA512

8d2cf6249e5823cbbd2f9565216088d2b18ae99a3170edd2aeac34c8953314ab497538dbe9b833e43f27e718de79a42c434d7e0fe8d9529e2eec0a74f25c2d74
SSDEEP

98304:+DqPoBhz1aRxcSUZ6SAEdhvxWa9PZAVp2H:+DqPe1CxcLZAEUadZc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3182) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1556 mssecsvc.exe
5096 mssecsvc.exe
4424 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1556	mssecsvc.exe
5096	mssecsvc.exe
4424	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1192 wrote to memory of 2168	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 2168	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 2168	1192	rundll32.exe	rundll32.exe
PID 2168 wrote to memory of 1556	2168	rundll32.exe	mssecsvc.exe
PID 2168 wrote to memory of 1556	2168	rundll32.exe	mssecsvc.exe
PID 2168 wrote to memory of 1556	2168	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\957c02405029f88cf233b2b75c476d00_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\957c02405029f88cf233b2b75c476d00_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2168

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1556

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4424

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
165905c8e8d56d14e49afc0f1cc9bd0d

SHA1
5b76947c05c1f988864f7c3e070327dc43d5b39e

SHA256
6a5996178e031e6438db8ada72cbb9efff935475797b066d20748b68ae2ed21e

SHA512
81ad358e8c960d61d0618398b437b85fb749f8748f877c0e7e52b13895a5c6df57977a412881eafd0eb66768a140767fd28715a6dcb119b2646f4f74f3e56b2d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b43e84f45ae7285ae58e46b085d23535

SHA1
e0533fcbb999911370460a0c225aad530972c464

SHA256
9bb4650d1333bf8eb3330ad44b2f19ef1a3ec73508c5cb9e7ebf80f7c0be26a0

SHA512
684edaafe0b21d71f97973e9628dc2443628e97a0bd5e80645fce555c3b32cad8c9fb1ce8f56ac39d1f08d66fb6c198f9e814eb9b2504554449f1d05b844e036

Download Submit