wannacry | 3318cd377e99133380674c6fcb5f845d04a7c3c9698b0a10eed5c50fdff13b25

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll
Size

5.0MB
MD5

af15853ba75f038f0ec9b256c953db26
SHA1

0e6454be8f386a253ce50350f7e592d6e37f485a
SHA256

3318cd377e99133380674c6fcb5f845d04a7c3c9698b0a10eed5c50fdff13b25
SHA512

6eae530eda00894c7c04a22ccbfaadcf915a4f0b84991c42c90d24c2f5f898f0e8d553895485802ecf45385cfa61b2562c066d8bda28df14bb6539746e27d923
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8:TDqPe1Cxcxk3ZAEUadzR8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3290) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4292 mssecsvc.exe
4264 mssecsvc.exe
1008 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4292	mssecsvc.exe
4264	mssecsvc.exe
1008	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 768 wrote to memory of 3560	768	rundll32.exe	rundll32.exe
PID 768 wrote to memory of 3560	768	rundll32.exe	rundll32.exe
PID 768 wrote to memory of 3560	768	rundll32.exe	rundll32.exe
PID 3560 wrote to memory of 4292	3560	rundll32.exe	mssecsvc.exe
PID 3560 wrote to memory of 4292	3560	rundll32.exe	mssecsvc.exe
PID 3560 wrote to memory of 4292	3560	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3560

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4292

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1008

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
38eb23176b98ab5b2e3f0889b07a4549

SHA1
768d48eda8354e73a5144ba04fafc4eabc9b9109

SHA256
caab28bd06cbf419db7ab2d9841b222d1507b8f446c2d86169e1b45e460d44d1

SHA512
eacf34d469320e411143b419e7e16c237e3eb2da17be2185f1757f9ecf649ae246b835c2a92dbd775bc31b1e81740d7a65c815d32bfc4fe9da6f3f919dc403b0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
16a42dab43ceee83448d66af017f813f

SHA1
cee73a8cf689f0d2f3a4930947f15a39e55803f0

SHA256
3e41be7f4946a6c5c858fa62b331a84f8a54c5fb8d42b412a6ccbdd3851015ba

SHA512
95bae8295680cb4c2c60038da8211d1ce9ef6895b375b3e36c1cb8eb7d99d609e4146a7697c7835cde1a41990036c2854aeaa086fcd9ebce7262dc51d2acf111

Download Submit