wannacry | a34eaafce577e7a9322d363cbb9344251b8dbb03bde7fb0a3e23bfdcea7c33f7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbb55c11107bd7609e5fe83a86739201_JaffaCakes118.dll
Size

5.0MB
MD5

bbb55c11107bd7609e5fe83a86739201
SHA1

7be37ba3e6fa7fb69c1d2f123d8ad31e59c19f2b
SHA256

a34eaafce577e7a9322d363cbb9344251b8dbb03bde7fb0a3e23bfdcea7c33f7
SHA512

daa58fa0d2cc5fca7a31b17395718522fa195e1af69a5dc0e696a3df2695c443428efac1fb19ac46aa318a40b2239c3fd0c0c99fee8b60a5aa5e89226e6324a6
SSDEEP

49152:SnAQqMSPbcBVQejDAMEcaEau3R8yAH1plAH:+DqPoBh/593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3244) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3384 mssecsvc.exe
1980 mssecsvc.exe
1172 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
3384	mssecsvc.exe
1980	mssecsvc.exe
1172	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1696 wrote to memory of 1840	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 1840	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 1840	1696	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 3384	1840	rundll32.exe	mssecsvc.exe
PID 1840 wrote to memory of 3384	1840	rundll32.exe	mssecsvc.exe
PID 1840 wrote to memory of 3384	1840	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbb55c11107bd7609e5fe83a86739201_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbb55c11107bd7609e5fe83a86739201_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1840

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3384

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1172

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
8eb1c61db0a85301d12e9d8ce2ce810e

SHA1
52d34f5820093a94841150ca8b38328fe4f4e00b

SHA256
be66484b42b5294199722bdd3c62ee1691eb088d04a4b2ddb85b4fe9b1b23771

SHA512
ad43e1f11c459d9ddefca40b34fe2f839a47c819b04ff0874e9b9c07ca9071bf497d16bd7a884a69306d617c44bd4f66327b7b67c4540483caf0d90fc81055be

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f247df8c4e10f2b854eb0e10d34ec2c8

SHA1
dc011755c816efd8659194010bf714e26c5448b4

SHA256
a531ddfa509a85123ba9d49f97a2a776834719fd5b36fb0294c05fb7c583243f

SHA512
6f3128d06ef8729ce91d7af1650f8d44be4ed35cbe92a3daa3232e3b66aca92c907a70609dc0d1f7ce8f989563930d7e03ec672a6b5075db2996c82794e57506

Download Submit