wannacry | d77d6cdef6e906971ec74c6fe200bb954581fba04c08247381557c3ebae22cc8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll
Size

5.0MB
MD5

9c38a8a1a32a471f7f969cc3eeb43a02
SHA1

75e831729706ed7f50d68337bf71efc4d7e347ae
SHA256

d77d6cdef6e906971ec74c6fe200bb954581fba04c08247381557c3ebae22cc8
SHA512

5da32a15c98562b413b0c62e887c21a49943680f984c2aaa9c5d4003ef867c5fa179cb490a00196d756ad3afa5bbf7ced76a2272026fa3e45d43ee7a76adddb9
SSDEEP

98304:+DqPoB5z1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPO1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2690) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4008 mssecsvc.exe
596 mssecsvc.exe
2168 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4008	mssecsvc.exe
596	mssecsvc.exe
2168	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1948 wrote to memory of 1920	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1920	1948	rundll32.exe	rundll32.exe
PID 1948 wrote to memory of 1920	1948	rundll32.exe	rundll32.exe
PID 1920 wrote to memory of 4008	1920	rundll32.exe	mssecsvc.exe
PID 1920 wrote to memory of 4008	1920	rundll32.exe	mssecsvc.exe
PID 1920 wrote to memory of 4008	1920	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1920

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4008

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2168

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
7389bafd564190dd7549d1c30616d516

SHA1
28f35901cfa0f42a9adf77b186ce750a18d85736

SHA256
d77ea687e621048e148e573d68d8f0f90b81c72d1da49e344b27edde64ba53d3

SHA512
e9cef730d4963bc8fbb9bafc6f66bfd2f1dbf6425caae224f9d7ddb06bd778cb75f126b9c4d564189fd062f804c3813a45c6c56fc16f6379f6138fd42bb9ac79

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f11f68e66d13ad8212897cc32adb0dce

SHA1
84d26b5f83eb688b66d8a6dbad17f76750aa0822

SHA256
a7e92b68e90b891c9d41a00e827c2a965b4807717025be913d026e5dd3007699

SHA512
996680d032f0cf9032d9a73aabd93f5cfc5c76eb25a4d9e9b507975813fd75ecd5e427ec0e4a10633895ea4c190c871392d07de948de6322e0b46bc63650cba3

Download Submit