wannacry | 2589efaaa4f3eee564c93ecd69241427dcbe44ff53ff4b32ecde8043e3902a7c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a33573e465729d000fef090310806c4b_JaffaCakes118.dll
Size

5.0MB
MD5

a33573e465729d000fef090310806c4b
SHA1

e4351639982969ccd0d22d1d4285a507ff860900
SHA256

2589efaaa4f3eee564c93ecd69241427dcbe44ff53ff4b32ecde8043e3902a7c
SHA512

670be76ec4f949a87620ffe2af3387ced914de7f42ad4adb19d9f36ead662ca49e6b187923ea1b45d931e4004d0f66b5e44ce2c42b4ea980cb0867c283265d96
SSDEEP

98304:+DqPoBhz1a0TBBBBBBBBBBBBBBcBBBBBBBBBBBBBBVfBBBBBBBBBBBBBB5BBBBB+:+DqP21JBBBBBBBBBBBBBBcBBBBBBBBBK

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2693) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

748 mssecsvc.exe
2992 mssecsvc.exe
3684 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
748	mssecsvc.exe
2992	mssecsvc.exe
3684	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1384 wrote to memory of 2024	1384	rundll32.exe	rundll32.exe
PID 1384 wrote to memory of 2024	1384	rundll32.exe	rundll32.exe
PID 1384 wrote to memory of 2024	1384	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 748	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 748	2024	rundll32.exe	mssecsvc.exe
PID 2024 wrote to memory of 748	2024	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a33573e465729d000fef090310806c4b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a33573e465729d000fef090310806c4b_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:748

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3684

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
269054c6ce0fd11a5d2969ffcfae9ed3

SHA1
e710e22c256ea84e3535022d3633a3706f44595b

SHA256
ae13a46c691cc93ccab882e4e7f9efab83839696318a2de8754bc77d7b6f37be

SHA512
7b792d94090c4542e46f2baa7d1b1cc87c70ed4b0ecb19a340e7d41d06cdef4c96fb52a6a45f13dd7c517f579cb57f786975fba02d6c28ef9d7261f85a936e74

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f57cb3ca2eddedbcaa94f9da16f88f5

SHA1
7a334deccaf79f0ad5d1121a5743478ceaa983d0

SHA256
b95bd87e08f6f258aa1c8a80c332cc1bc8b91e3b4ef1aa508ce943a91b46fa93

SHA512
158a3a0f89796abd8a943dce4be3abd05198c98c103bb4293aa5cfb68e9b2d5b63a67f5eeeb4813f2d9c223dd83095f5c977dab3109119569f42923bd120eb06

Download Submit