wannacry | 2b0d7eb0e2a1f3c200116060867fe80b0bfc88c666fd4a1cf7bf22e39f3aed61

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a941a68efba98916c3543124d545c929_JaffaCakes118.dll
Size

5.0MB
MD5

a941a68efba98916c3543124d545c929
SHA1

4f6aab140aba41adfc5d221403f85a64db4ac2bc
SHA256

2b0d7eb0e2a1f3c200116060867fe80b0bfc88c666fd4a1cf7bf22e39f3aed61
SHA512

0436620adf71ae00b416e6676b94365ec210db79308df93653faba3565730626064a64f146f70b124f6743599efd0b97f69405ed4beeac15de1c4067847b3f81
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM:TDqPoBhz1aRxcSUDk36SAEdhvxW

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2680) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1492 mssecsvc.exe
1800 mssecsvc.exe
2904 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1492	mssecsvc.exe
1800	mssecsvc.exe
2904	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3084 wrote to memory of 3420	3084	rundll32.exe	rundll32.exe
PID 3084 wrote to memory of 3420	3084	rundll32.exe	rundll32.exe
PID 3084 wrote to memory of 3420	3084	rundll32.exe	rundll32.exe
PID 3420 wrote to memory of 1492	3420	rundll32.exe	mssecsvc.exe
PID 3420 wrote to memory of 1492	3420	rundll32.exe	mssecsvc.exe
PID 3420 wrote to memory of 1492	3420	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a941a68efba98916c3543124d545c929_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a941a68efba98916c3543124d545c929_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3420

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1492

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2904

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
4f462abe5292853d6328e356305de4be

SHA1
57944a10d863969799fcc190ff1c7ebc3d723e8f

SHA256
4b0c97e31fa57560606e1841305aec8e5983a4f0230d387e4a13dc7878cc958a

SHA512
733ec291b13b92bac78d6c5334e474714814ada0a3d94157852e11c9ae0279d4ddef67b2685dd217e01cc050773e6af46cdf8f663d1d36ca188f720cd68cf48a

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
4560ce126cc34e33839f4bafbeb801b0

SHA1
ad3d81e70e7206fa255c12cbd3f863dfb72fb12c

SHA256
5facb4bca8b6a43fcf064b33c80c8727633fdc2532b2e66402b5cd954109cde0

SHA512
1aa20fe3e776def514c3b6035ff17e19373d07f0f4d8a39144484b31a8ba6368357d9db07b99e544ed27f7ee4856fd4fe50fea7f5aa7e85e408da7645f036d03

Download Submit