wannacry | 27549a91bec864f1cc2342341759e484b8ae9e3ee278fb310739cd1a088bab42

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adb052afc3a5dcef371014ee6c301e2f_JaffaCakes118.dll
Size

5.0MB
MD5

adb052afc3a5dcef371014ee6c301e2f
SHA1

51ddea9f9dba70af190e6b9eb7dea696398ea3e1
SHA256

27549a91bec864f1cc2342341759e484b8ae9e3ee278fb310739cd1a088bab42
SHA512

5cab08d141e8b2d2e0bec90477337f0fd2181e999a3a195c395d1da032da0a22b5ca043a2b55afda339d7682f39d20171eac1cd9647bf6f4f042ddcddb731b76
SSDEEP

49152:SnAQqMSPbcBVQej/1INczcLh2+dnOscK:+DqPoBhz1aczcLh2+dnOscK

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3283) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1896 mssecsvc.exe
2068 mssecsvc.exe
3428 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1896	mssecsvc.exe
2068	mssecsvc.exe
3428	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2484 wrote to memory of 2368	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 2368	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 2368	2484	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 1896	2368	rundll32.exe	mssecsvc.exe
PID 2368 wrote to memory of 1896	2368	rundll32.exe	mssecsvc.exe
PID 2368 wrote to memory of 1896	2368	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\adb052afc3a5dcef371014ee6c301e2f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\adb052afc3a5dcef371014ee6c301e2f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2368

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1896

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3428

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
41a5c6abab1dff49e824adc98b5b78ff

SHA1
de5ec3062727d685bc9ba04cffbc6194461ac59b

SHA256
1b183526cd528e63abd3b0031e7e8a3c91cfb763e026402f9cc6344e8d24b052

SHA512
afee2628df62535ada7a9035a192356d48e834f9252235b36dd401aa32eb717d652c8fae7cbb03e18e67dbef7af7e047f9d3dcb96c10de10a1310d1696523756

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
0105ad83ed267920306c85c72a535c79

SHA1
296a1f40add02ba8510f23fd6ad4e918481ea811

SHA256
13875254a6284abc95e310df07feb6ee0bfb88bec025ac8da3d45c14d4b2c1da

SHA512
54654c030f18c7dea1832b9484a1311d9ec0dc89831cde208885fc7b1ee65fc55cab4c7d54ac93082d8537062e3b1224d1b1c6f0b62ee517916d8cf86367d8ac

Download Submit