wannacry | 3a0b797d56b22556d7d7a7d56f34dd62e75aeb298d41d2e0afb719b23511462d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a657a66208c5cce57412b5c1c89a9041_JaffaCakes118.dll
Size

5.0MB
MD5

a657a66208c5cce57412b5c1c89a9041
SHA1

991ec801b55d3aadb40c20f5c8697a677ea2bb76
SHA256

3a0b797d56b22556d7d7a7d56f34dd62e75aeb298d41d2e0afb719b23511462d
SHA512

1ff663e9fe312607939c29720dd56de72c28193deb614e6d302f909b856c53fe037e754c04b115430a458c157c7e5e049f03ef93fb4af78539e77f5f3681471e
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3194) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1456 mssecsvc.exe
440 mssecsvc.exe
2720 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1456	mssecsvc.exe
440	mssecsvc.exe
2720	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3172 wrote to memory of 1020	3172	rundll32.exe	rundll32.exe
PID 3172 wrote to memory of 1020	3172	rundll32.exe	rundll32.exe
PID 3172 wrote to memory of 1020	3172	rundll32.exe	rundll32.exe
PID 1020 wrote to memory of 1456	1020	rundll32.exe	mssecsvc.exe
PID 1020 wrote to memory of 1456	1020	rundll32.exe	mssecsvc.exe
PID 1020 wrote to memory of 1456	1020	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a657a66208c5cce57412b5c1c89a9041_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a657a66208c5cce57412b5c1c89a9041_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1020

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1456

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2720

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
9725da13c795537ef61e844136ea90e3

SHA1
fc82142cd0565201b8f44409068a5199bb340b37

SHA256
98c52deb359b767109d4902a52e054d1ca410893012bb69bebdae5310a5c1768

SHA512
cc68c8cc2c501f1f152c13a978e650bd75d0aa62c47cfa82f483423c027f4038c829e7e7c8b730028f669e1cea58e4bb672dddd5880e2c6894963180e0504b33

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
73ca33926dedbc460f05194098f93c64

SHA1
857963ceca72301af31b38dfe675a15e9181a325

SHA256
c5f768fbec7c3f5125d02c5a5c626d899f2cd93fbf125b709e61c7bc05c31138

SHA512
31f0d24ade177532da910a7eda6a2463b95e05ad43a016a531b86a143ef599afaecfcf9e6c9c624df9934368688ca2e0b158135e155aae402a9e919dec687f93

Download Submit