wannacry | de61ad14bc39bc894068f5eefe3cf6ee3c4ccbf7efa8ff575a117300d6f9f62b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c83055748bd40c550c395f81f7738a_JaffaCakes118.dll
Size

5.0MB
MD5

a9c83055748bd40c550c395f81f7738a
SHA1

462d4bc5478bbd040f71897ccba2566bc4a2036f
SHA256

de61ad14bc39bc894068f5eefe3cf6ee3c4ccbf7efa8ff575a117300d6f9f62b
SHA512

0be57c58a1d948de216332cef13600af554a4e0f5d395ff92f51bc574dbd5d0d32ceeb19d5f0e4532fb972141cc93b7de01f0ea9d4b88ff261bed07c67a21f98
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAldhvxWa9P593R8yAVp2H:+DqPe1Cxcxk3ZAlUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2680) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3516 mssecsvc.exe
3452 mssecsvc.exe
4848 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3516	mssecsvc.exe
3452	mssecsvc.exe
4848	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 548 wrote to memory of 2508	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 2508	548	rundll32.exe	rundll32.exe
PID 548 wrote to memory of 2508	548	rundll32.exe	rundll32.exe
PID 2508 wrote to memory of 3516	2508	rundll32.exe	mssecsvc.exe
PID 2508 wrote to memory of 3516	2508	rundll32.exe	mssecsvc.exe
PID 2508 wrote to memory of 3516	2508	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9c83055748bd40c550c395f81f7738a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9c83055748bd40c550c395f81f7738a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2508

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3516

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4848

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
344f053528ca89fa1dd9afd1bdf226be

SHA1
466a2e006d32f416174868a9d6cfef45c532bba5

SHA256
74d41a2b54476c3aa67dcfc278dc8602b597746eef49b200afbd74a8fad9dd0a

SHA512
f2e76d37945c3b7f3ee74dc577aa1ff6f96c1bb712150f97d3d69b2e5c2d113c4e7450be714d4f46e052d77b86727f6d3797578d0f6d498ee6b3881980e4c06e

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
1879cd317de1077793b9e7ad9548fbad

SHA1
89b5d4bfa3cf362e73d516d757103170fc025818

SHA256
fb27e78cd4cba316b4bdd65305fe5f3475154055a601967ff873c0982f0d31cb

SHA512
995b341d9bdca393c423130b99d77bfe04d06dc6f956b5e36f58bbe42775035034558ed7ded9387fd29a8aae791db0df18c1776131bfe6f7bd6ed0711584115e

Download Submit