wannacry | 5ac61f72e937a61eb969759f64a5a4060153dc315d5deadfd2d2d84f109bbd79

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll
Size

5.0MB
MD5

ad9a429162ba44c3e9a67f961c6cf772
SHA1

7f1889d024d276c8f5b89858cdcb86603ed27b4f
SHA256

5ac61f72e937a61eb969759f64a5a4060153dc315d5deadfd2d2d84f109bbd79
SHA512

6ab21a2005d0db99e3cb0bf329d0edeb9b798de23acb1b7be065881f4eb7a2aba038a3079f51ef20e7e8e6cb4ba4f1a6f9307c4bda4ddc78c779a58da5acb8ff
SSDEEP

49152:SnAQqMSPbcBVzAMEcaEau3R8yAH1plAH:+DqPoB5593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3246) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

5016 mssecsvc.exe
3012 mssecsvc.exe
4904 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
5016	mssecsvc.exe
3012	mssecsvc.exe
4904	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1928 wrote to memory of 3344	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 3344	1928	rundll32.exe	rundll32.exe
PID 1928 wrote to memory of 3344	1928	rundll32.exe	rundll32.exe
PID 3344 wrote to memory of 5016	3344	rundll32.exe	mssecsvc.exe
PID 3344 wrote to memory of 5016	3344	rundll32.exe	mssecsvc.exe
PID 3344 wrote to memory of 5016	3344	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3344

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5016

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4904

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
c4981707b52e51df0841f0476894d6db

SHA1
f62d2fa3ed07c86d3f7643ce2bfe6bbda050d151

SHA256
e44250667e1f107a2425402b355171c19fe63b0b0de625ed952234c31e0fe262

SHA512
3d7e7d714f03a657eb2a1c34a7cfbab6a6bc811dac5a4d8cd60ac57f36726c188c0ab662b1e22e662a107576d105ed518405a1b795023a72f6bdaebdcc9486c4

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
846bb9842a13355a8398ca894e8d00c1

SHA1
a2eb535c89fd44a3fcaa2b2e4ad51b6227717aed

SHA256
241dbd92f8dee3168efd05fdb6c3402129fa9701d032f98974febc1e2980166b

SHA512
84b6c141b8ad61c27f7ce2f6837dd129629371568107e0d132d2a72cedc8506147dfe8ed63b9c98607aefbb0d4e876fe2aeb47508ec49d6a0b798389afcb183b

Download Submit