wannacry | fc2f145f2c1e2de9f5492e2987dd6e3859d0aabbe6f4dc703c86bb77b0086e5e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62a80f7db409bb44290b25641c6694f_JaffaCakes118.dll
Size

5.0MB
MD5

a62a80f7db409bb44290b25641c6694f
SHA1

56934df4b479198c6688a390eba74a885ff26fde
SHA256

fc2f145f2c1e2de9f5492e2987dd6e3859d0aabbe6f4dc703c86bb77b0086e5e
SHA512

80d27899fa0513e3e4649ea6969522b34a7999a0997ab88e2a8a747fa5312ee9b8ca35965e7148252d53eefabc0368171e0b14f413619709e321ccad8acfa21e
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQ:TDqPoBhz1aRxcSUDk

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1480 mssecsvc.exe
1532 mssecsvc.exe
3236 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1480	mssecsvc.exe
1532	mssecsvc.exe
3236	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3116 wrote to memory of 1108	3116	rundll32.exe	rundll32.exe
PID 3116 wrote to memory of 1108	3116	rundll32.exe	rundll32.exe
PID 3116 wrote to memory of 1108	3116	rundll32.exe	rundll32.exe
PID 1108 wrote to memory of 1480	1108	rundll32.exe	mssecsvc.exe
PID 1108 wrote to memory of 1480	1108	rundll32.exe	mssecsvc.exe
PID 1108 wrote to memory of 1480	1108	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a62a80f7db409bb44290b25641c6694f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a62a80f7db409bb44290b25641c6694f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1108

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1480

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3236

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
eb803792a58e278cc0985dad15204919

SHA1
6095e74586d3bfdc4d5ea0269d5f9f32e2912ac5

SHA256
e414785740575eb5b306c10d9cb6c6a84b19f7a8c459f4d272c398c36a03a338

SHA512
cdc9568e0c67346b07690c80ae6ae2a728e8ca9b82ff3350dccdcf6637f5036731c3e6a8b67ac077c1dc63a9047e6e8e43e8586083c74ac07458c58a832b6830

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
c51ff01f733edf9d028866a973e6f35e

SHA1
c52f9c24346b69d72d13569bd6565d8d23ab96e8

SHA256
2d158c9d27d65ed554f4feee0cba57871cad4998e39fc025afa22ee21588c43a

SHA512
0a95d9c98978d77e0f0e4295f2af79c8a04f47d5f917e1f80debe9a7587e53f1d1c3656daef82ec3f3942af1f70e08e6ef4a61b6a9cf46518134b557c5f605ec

Download Submit