wannacry | 84bed894ab816f83ce0bbb01cfffd3b2230a04bb6f8497a107f92983200aefdd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97eec0b6b94729d8cb65a97c6d7695e0_JaffaCakes118.dll
Size

5.0MB
MD5

97eec0b6b94729d8cb65a97c6d7695e0
SHA1

679351d838b41f2bc63e79a5ee55850fbdc4463a
SHA256

84bed894ab816f83ce0bbb01cfffd3b2230a04bb6f8497a107f92983200aefdd
SHA512

63d038d0ab17efc0265d454bfcd2f787dad7b2aa9439ac8bf17f3e9c63692fe4ca5253ee0e27a6a0b61bff0df309a5c9c4b6ba32a164a674153711441563f2cc
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8:+DqPe1Cxcxk3ZAEUadzR8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3180) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

872 mssecsvc.exe
1820 mssecsvc.exe
3988 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
872	mssecsvc.exe
1820	mssecsvc.exe
3988	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 32 wrote to memory of 4508	32	rundll32.exe	rundll32.exe
PID 32 wrote to memory of 4508	32	rundll32.exe	rundll32.exe
PID 32 wrote to memory of 4508	32	rundll32.exe	rundll32.exe
PID 4508 wrote to memory of 872	4508	rundll32.exe	mssecsvc.exe
PID 4508 wrote to memory of 872	4508	rundll32.exe	mssecsvc.exe
PID 4508 wrote to memory of 872	4508	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97eec0b6b94729d8cb65a97c6d7695e0_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97eec0b6b94729d8cb65a97c6d7695e0_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4508

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:872

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3988

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
500d2e5371e322be1ec8106b4d435861

SHA1
529179ee4740102ee65614354ee423369f3db3b4

SHA256
80dc07d14a6009a4dad3d7c67b8a7499cefb76d92d86e032ffb87a527a04ee15

SHA512
7c1bf301c7b77826c7e4019e8202dfc7f884fc994aed56454ee59d5b13fb9856bfa3d7b015b0b3b85c3720748707e4d7f39afd73a5f8bac5cb6f15af45cdbf8f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
d07ee41c415b6276663965c6a77ca108

SHA1
9e369824f823842945caa16b00c3dcde4c22f0c9

SHA256
685a294c96facc796a53fdad6a9e7e3d57938db89d0d138370876323ec84ef0e

SHA512
edbbf279734c0ce7fe840f069979f2bae1e8b4cdfb7e60369f5bfb24406b223474e01b0cecb6022903d3928a6a8f4d3333161ae4632f4f8e546cb6db7d4976db

Download Submit