wannacry | 61ca854a98214db0ac2a90843129135063bac09df891a67e551efb8d12d1a28b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39d3523d629276a9c75f0e4bfc954c4a_JaffaCakes118.dll
Size

5.0MB
MD5

39d3523d629276a9c75f0e4bfc954c4a
SHA1

6fb54e3a7e8c9aa6d08b3f30436e7c6aaccc76aa
SHA256

61ca854a98214db0ac2a90843129135063bac09df891a67e551efb8d12d1a28b
SHA512

751b561d7ab65558b321c2c3a7f8ef7c6ab0d9b838ee361ab0bf5088eac9ee1be0dc78059ef5b6ea9e894e86a9587b7c46c9cf50eb7a1de48dec24d6731d23be
SSDEEP

49152:SnAQqMSPbcBVQej/1INeRdhnvxJM0H9PAMEcVR8yAH1plAH:+DqPoBhz1aydhvxWa9P5vR8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3205) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

368 mssecsvc.exe
2620 mssecsvc.exe
1356 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
368	mssecsvc.exe
2620	mssecsvc.exe
1356	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1792 wrote to memory of 5060	1792	rundll32.exe	rundll32.exe
PID 1792 wrote to memory of 5060	1792	rundll32.exe	rundll32.exe
PID 1792 wrote to memory of 5060	1792	rundll32.exe	rundll32.exe
PID 5060 wrote to memory of 368	5060	rundll32.exe	mssecsvc.exe
PID 5060 wrote to memory of 368	5060	rundll32.exe	mssecsvc.exe
PID 5060 wrote to memory of 368	5060	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39d3523d629276a9c75f0e4bfc954c4a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\39d3523d629276a9c75f0e4bfc954c4a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5060

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:368

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1356

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f53b04d4b236af77e1853398eaec5a7b

SHA1
5f8190eca08e9bf233b74a3299c7b3ad7b9ff699

SHA256
f5a7e64034c3d542f27a150a932165adbf5f75a811ad5e38ab6e0e32b44057c5

SHA512
bfeceb1a7aada2151e9fc58c8deb22392b01578634eebef4698a6cbf644bc9b35460cf2a2aaffe04c80650dce60739c7cdad2d2f9fac61c2fb98ac29151d630b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
12238b0db2e97762b796e6c16ffd9a2e

SHA1
48da95af615de00b8e1f7997998e2cef8cd08781

SHA256
9053e3ae9b5023cbe51cf99ca73cd941ebb44772627ff7e371681eaa96887e0a

SHA512
3fed6683dd05532776f46fe818f314a8f5121c2f4ba340ae741b0bc45a215302d4d88b90e142ab9cd2ea5f7e270d988283386593fe2b0066d24f72daaa0d3620

Download Submit