wannacry | 8bc656dc3282c817d9b5fff6efeb51126fbc8f655cf4eddc783c2dbb43932b1e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9df4b91b5b311c94181b3d425efda4f_JaffaCakes118.dll
Size

5.0MB
MD5

a9df4b91b5b311c94181b3d425efda4f
SHA1

a6c39e6bdda4afae0af8096a1bea26105368e501
SHA256

8bc656dc3282c817d9b5fff6efeb51126fbc8f655cf4eddc783c2dbb43932b1e
SHA512

73b6f6f2a97af5b62236b3959ed49dc652499b4c0504846f89e66fd8c4acc1e03581510c680d38d3c986f527bef03632c7f52fecd91e8debbf6c158a361ac65f
SSDEEP

98304:RDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:RDqPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2687) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
452	mssecsvc.exe
2188	mssecsvc.exe
1276	tasksche.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 628	1588	rundll32.exe	81
PID 1588 wrote to memory of 628	1588	rundll32.exe	81
PID 1588 wrote to memory of 628	1588	rundll32.exe	81
PID 628 wrote to memory of 452	628	rundll32.exe	82
PID 628 wrote to memory of 452	628	rundll32.exe	82
PID 628 wrote to memory of 452	628	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9df4b91b5b311c94181b3d425efda4f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9df4b91b5b311c94181b3d425efda4f_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:452
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1276

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ce0248753874acd4c7bd6691e26d6544

SHA1
41bcde2d7c76595872e0c95718b29b5e5d7e4fd0

SHA256
53aba7c89d13de18db2b7f3a70195601bb31b1022114f8c05345daf00edb77dd

SHA512
59f94373e44ca19c086ec45b8e0a1bccdff23b43c6436fe660d2803b42fd515dd102f5725c915a66e60fc891e89ed1030016b294517947ac1bc88ee1b408fbaa

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/452-4-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/452-10-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download
memory/2188-6-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6.4MB

Download