wannacry | fb5317e76d0f234aede9f26f60f40a278c241d27019518df2ab8909ead764788

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll
Size

5.0MB
MD5

abebc86c59b2aa2143a4aaf98ea34630
SHA1

385b79ff4bfe4dd43e06c287d11d1a067fbb5eb7
SHA256

fb5317e76d0f234aede9f26f60f40a278c241d27019518df2ab8909ead764788
SHA512

1395898edcc6ec8c97934711886cda105b5f8c4b5e1dc9ecf36ac8f9cf268882bad58945b369cc359557bc5b4ebba4e65c705c94f68f38ce9ab42f1403bf6545
SSDEEP

49152:znAQqMSPbcBVQej/1IwFvElh6h0mZQOy2DLscxez2Kr7GDVENG+VN+kszxR:TDqPoBhz1pv86h0mhEcwz

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2680) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4700 mssecsvc.exe
3724 mssecsvc.exe
3684 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4700	mssecsvc.exe
3724	mssecsvc.exe
3684	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1124 wrote to memory of 852	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 852	1124	rundll32.exe	rundll32.exe
PID 1124 wrote to memory of 852	1124	rundll32.exe	rundll32.exe
PID 852 wrote to memory of 4700	852	rundll32.exe	mssecsvc.exe
PID 852 wrote to memory of 4700	852	rundll32.exe	mssecsvc.exe
PID 852 wrote to memory of 4700	852	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:852

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4700

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3684

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
093e8a1d86864424d3cdd1ebede4cc82

SHA1
07b534af48de27c84e046229cc25979fdbcaa53c

SHA256
7cd796d59db7e7ac878ad3335522104e1422e6fc721b2f1c327007578df01502

SHA512
df230b18fa382f8d419008ba2483fad3c08f910c0227925fef35d4d9a46ceeebe410d332326d0f2364b020dcb8de8253a9d2a9c6223e147d557369d1fa6eddf2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b4f7243af03b1dd769ff9240ac5efa9e

SHA1
4c33f4480a4ca13c434fe04d9f5a37cfb2691c37

SHA256
e871c13560d924fe7adceb03e49b233127c970a4855fa607913778581fbde45e

SHA512
c49ceddf726d6eefdb21573ccb5895089b0f28d1f411272bff5d86cb64b70d7535c9bf561e127c7d5a260adb482a33c26ee85d55f18938c2c43b3675fa725d6d

Download Submit