wannacry | 966808fedf628f70fc4c4585053dc92c0ff5653392752a63a5799360fbba700a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2fa771f1bfd41dce4f01548dd3e068f_JaffaCakes118.dll
Size

5.0MB
MD5

b2fa771f1bfd41dce4f01548dd3e068f
SHA1

9940c3edb984aa57715346c69fa814540a87a362
SHA256

966808fedf628f70fc4c4585053dc92c0ff5653392752a63a5799360fbba700a
SHA512

384df77116bfc3e780c9a73367d1b2cb83394bf3c137b2f9f014a4e7271e82082718fb6c742896ebf1d04b0e7968b0596290c4bb4e1b61025198697450e5bf7c
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0INZtA0p+9XEk:SnAQqMSPbcBVIlAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3172) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3700 mssecsvc.exe
5020 mssecsvc.exe
4752 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3700	mssecsvc.exe
5020	mssecsvc.exe
4752	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 784 wrote to memory of 4680	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 4680	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 4680	784	rundll32.exe	rundll32.exe
PID 4680 wrote to memory of 3700	4680	rundll32.exe	mssecsvc.exe
PID 4680 wrote to memory of 3700	4680	rundll32.exe	mssecsvc.exe
PID 4680 wrote to memory of 3700	4680	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2fa771f1bfd41dce4f01548dd3e068f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b2fa771f1bfd41dce4f01548dd3e068f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4680

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3700

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4752

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d57fcc1ba50a56046029fec58fc130fb

SHA1
ec48dbf27f867700d4b042e4b5a92104133599a9

SHA256
cbfe1f6eda09a33b98bbc86f10525619368355f7ee6a4fef8935b245ea10c180

SHA512
7c0318fa3596494d88879ac05dea8d5e9a069cd60fea3dbe943c82093e71436c628570abad87888ed15bd55e8a45a7d679c80848a65b0d63093a79b6f3eb46f2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
cd7d5e8c2a4477ad9fd7bee5bfa87a5d

SHA1
73b0ae8a2901b6655ab097b765c51f8640ce3cbb

SHA256
61544d4e6b6f59fd4ab32c0f11e1dd1f01e8caa16cb7b3333cb4d1d8f4456503

SHA512
32948ca61a607d94021ad014b228f64deac76e566ceecf227c72e644e0bbd375a6e9a646c2dd59149170ad2b6c8c9384d2bf4591c4ce940d433fa14716632137

Download Submit