wannacry | 7527c7bc3c52dc5630265ee03efcae905a2cc8b909fc33d427919dd8b355a66a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6585e80f2a580a1b5d1dfb3d8dbe0f6_JaffaCakes118.dll
Size

5.0MB
MD5

a6585e80f2a580a1b5d1dfb3d8dbe0f6
SHA1

70e86c590bc18260a90e8d7c1501f57db5dfdf3c
SHA256

7527c7bc3c52dc5630265ee03efcae905a2cc8b909fc33d427919dd8b355a66a
SHA512

33525771a636ae7d35e737276f24089162115197e5acf417811b97da3043b77fc4cd4dcd7f79c47896e5d505d73395c60b1d17edc18f6f3a8dcd45d7e460f5be
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P53XK:+DqPe1Cxcxk3ZAEUadtXK

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2844 mssecsvc.exe
1928 mssecsvc.exe
3860 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2844	mssecsvc.exe
1928	mssecsvc.exe
3860	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 708 wrote to memory of 2040	708	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 2040	708	rundll32.exe	rundll32.exe
PID 708 wrote to memory of 2040	708	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2844	2040	rundll32.exe	mssecsvc.exe
PID 2040 wrote to memory of 2844	2040	rundll32.exe	mssecsvc.exe
PID 2040 wrote to memory of 2844	2040	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a6585e80f2a580a1b5d1dfb3d8dbe0f6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a6585e80f2a580a1b5d1dfb3d8dbe0f6_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2844

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3860

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
06c4f5946eb4d6d99ec56fffc9468953

SHA1
398b2a6e7788042e72a76341c2061e7aea6a17cc

SHA256
c89523191566c7b491cea755c7a47ee7dd383d0475a10268581808979d9d4544

SHA512
8acb19a451cb20e12ee45c2cdda78ddd5ebda17f97b1ef3fa65f250311ef66fc3c945476a903bf4107b21dab54c291bc509a58fbdd0e84b4b8bfd416f6ae2ef8

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5fb7e5f0c3d439cc3a6823f8e061d9ae

SHA1
5df9961c8df60e3933dfeb110c3d42f7a63a21dd

SHA256
25c44dc5f8b699042083b14da37ff4dbc8ffc1057362ce2d9c24b94eec4ea0fe

SHA512
ce87f13ddad2fe78255a29b4a513992496af58da539e77a8283866895453ebd459a23c2871df8607bcf8def2eccf77e3740152139a622a9815b9645f61c8a22d

Download Submit