wannacry | 8e051501bdc76a807f6f9fac9c35e0486cfe569387e83cc02db8f457831f7f41

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll
Size

5.0MB
MD5

ae71e9ba6e85f9c40b52b2c467b4131c
SHA1

93eea8186db083b07e1919bf02e9f1830140683e
SHA256

8e051501bdc76a807f6f9fac9c35e0486cfe569387e83cc02db8f457831f7f41
SHA512

96d37b967f79faeae1b955472bd730a279c530db07d96af282f278a23946dc71321015b90a513290992211b809daafd80a25746b164e480280e3ecba22dfc414
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTtW9bXZROAx:+DqPoBhz1aRxcSUtW9J

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3169) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

968 mssecsvc.exe
1744 mssecsvc.exe
772 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
968	mssecsvc.exe
1744	mssecsvc.exe
772	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4140 wrote to memory of 2408	4140	rundll32.exe	rundll32.exe
PID 4140 wrote to memory of 2408	4140	rundll32.exe	rundll32.exe
PID 4140 wrote to memory of 2408	4140	rundll32.exe	rundll32.exe
PID 2408 wrote to memory of 968	2408	rundll32.exe	mssecsvc.exe
PID 2408 wrote to memory of 968	2408	rundll32.exe	mssecsvc.exe
PID 2408 wrote to memory of 968	2408	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2408

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:968

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:772

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
c401944ecf7a4e179776ab6a3361a9de

SHA1
a0f35b374147ad559581e80c9cdab73f8d466068

SHA256
7ad8f33638095c9fdbf19cf76298fa6b289f7e8b54020b02da0e45f417183aae

SHA512
0d2e969b33769d303e36ff3a1ac67c4a1b4a7062eef0d694bf634964b45c7d81171b7e2246bbf3380a61d9f4c205e116ca56706fd365e9fa82ca5a29a51e66a0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
2d0034f3b51564e3351da23b48b02f4b

SHA1
ff13439259e915e5f5cc59d0bd80b6c9e590d69b

SHA256
4a4ffa6740649ff9b369b398ae9af3e0dc0fcce97b3c98ee3379f1d41fff168f

SHA512
64561222ad29783ae540bb49e7fc9156f648f59bc822de6d68199834ed8332c68296a61b90f8abdcc6bb5872d5edbc2f1498a401ca64a66892d42b46ffbf29df

Download Submit