wannacry | 8a0abfca4e451c4f0f3c693eb52331954573384bfd902ee325118d85a7e22dc3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abae35df2210d9521a8bc0ba08b97113_JaffaCakes118.dll
Size

5.0MB
MD5

abae35df2210d9521a8bc0ba08b97113
SHA1

02cd4366ecde1ccd8833d7853dcf80c00305dead
SHA256

8a0abfca4e451c4f0f3c693eb52331954573384bfd902ee325118d85a7e22dc3
SHA512

b36c47d647109633c256dad766ff0ee846114f81b9921494048dfe68cb5561dabcdd051ff979774ce74a871ba46ad78a2718b67de70be8b5039d26999e24c79e
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhUP593R8yAVp2H:+DqPe1Cxcxk3ZAESzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2572 mssecsvc.exe
3564 mssecsvc.exe
1380 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2572	mssecsvc.exe
3564	mssecsvc.exe
1380	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1084 wrote to memory of 1612	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1612	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1612	1084	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 2572	1612	rundll32.exe	mssecsvc.exe
PID 1612 wrote to memory of 2572	1612	rundll32.exe	mssecsvc.exe
PID 1612 wrote to memory of 2572	1612	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abae35df2210d9521a8bc0ba08b97113_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abae35df2210d9521a8bc0ba08b97113_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2572

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1380

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d7f4ff878ebe415908865c70f771f044

SHA1
fae5f74b6ff94419c20491d8d597255bfd6c58ac

SHA256
8c8d53641bd242ef992aebbf90bf797af3e8182a908e066a901b583e1fbaaa2c

SHA512
d69547ee99df21414525a039b4c16226f2796ee3113d2d9dc98b6fafed1d807fd8e0abe55110ba868784c75982696bb23e1bca8740435a3c2453eb4baecea18c

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f3003718765af548421286844ecd0716

SHA1
8157ad9a91b3221ce72c8034e49a23b1a689084e

SHA256
da7118b2c5e2e7ec9add5e0313851be30121c69d114ff6d3f7836c6ec0527882

SHA512
54d519786363c76c15526ffa6c6971f7959b0eccb4cf1cb2477d7f5f05fe514aacb26ccb58a4dea67762caac856d6d39aeb7d9b676ee60c88e2c4ce4656b7009

Download Submit