wannacry | 947837f99eadfc89901b66bb2688dc703a9355c8263c5de0b0103142a7fcea0c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a66bbb81819c7a53008288547034108d_JaffaCakes118.dll
Size

5.0MB
MD5

a66bbb81819c7a53008288547034108d
SHA1

4362692ed7e98b5224314beb8ad1ff1afd8fed1d
SHA256

947837f99eadfc89901b66bb2688dc703a9355c8263c5de0b0103142a7fcea0c
SHA512

689a16b60a7e97d64ba29d3650bdb387bb17df1bf8bbafca9d02b03a64155dc753ed08037b440a4ed4397ad5e1bf6967d83ef8bf23457d169a5cb3af24f157bf
SSDEEP

24576:SbLgddQhfdmMd4scVNgeopJNtY+EUXDsh1ATL4pEjqEwN2gpndjb24XxiVL1RaQg:SnAQqMdfb3JlU8gfI19FXprotruq

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3090) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2660 mssecsvc.exe
3724 mssecsvc.exe
220 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2660	mssecsvc.exe
3724	mssecsvc.exe
220	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3196 wrote to memory of 4044	3196	rundll32.exe	rundll32.exe
PID 3196 wrote to memory of 4044	3196	rundll32.exe	rundll32.exe
PID 3196 wrote to memory of 4044	3196	rundll32.exe	rundll32.exe
PID 4044 wrote to memory of 2660	4044	rundll32.exe	mssecsvc.exe
PID 4044 wrote to memory of 2660	4044	rundll32.exe	mssecsvc.exe
PID 4044 wrote to memory of 2660	4044	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a66bbb81819c7a53008288547034108d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a66bbb81819c7a53008288547034108d_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4044

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2660

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:220

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
4fdbe278beaefc23039e6123bdc6695a

SHA1
d98a7fdfe3538bcf36cfe105e585ff6baeda70d0

SHA256
bff4ffca77939603d2e6f1d7cb24de6e41ec4e94afc306f6a434072585d2075e

SHA512
19c7bebb56bac8cee879aa2eec83af020330977be9ddb17d881c3a757951216e717160f0786e7cd69bdebb6bb9ef0acb92578d339674a8b6e6165e793549cd0d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7adbae7ddb75a3f753a4bbf8223bb4d2

SHA1
c6c7a439322f1ca373d18878f0a2e2444fc166ff

SHA256
96b3c39d380a4116cafd0abfbcf334b58655803a3046ab063a79fb0852823f13

SHA512
99c16dd7b57a412f23ff544f9d53bed84a0b6d88581995ef0639531c14f3c9b169611da9bd618023f973d8f15dcbc48858c06e573091fd3893ea36cd4c81b86d

Download Submit