wannacry | ec2a990e5ceea72eec6128d38e8debedffbe6cac244f7ee5e5e3d58e2ad0b202

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll
Size

5.0MB
MD5

430599e85618bd750b5bbfb21cb5f857
SHA1

c9ff0c824d324d6047a31eb07da54ba43a0a8b86
SHA256

ec2a990e5ceea72eec6128d38e8debedffbe6cac244f7ee5e5e3d58e2ad0b202
SHA512

579734a994750f09d3cd6feb1d6e5f2793bce1eca37f65cb4fef50c0c908b18248e143a85cbf3d62bf5d0af1e5a4b48faa94dc3e92846e615215276b9322c1f7
SSDEEP

49152:RnpE/bcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1p4oBhz1aRxcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2136) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvr.exemssecsvr.exetasksche.exe

pid process

3576 mssecsvr.exe
1592 mssecsvr.exe
4788 tasksche.exe

pid	process
3576	mssecsvr.exe
1592	mssecsvr.exe
4788	tasksche.exe

Drops file in Windows directory 4 IoCs

Processes:

tasksche.exerundll32.exemssecsvr.exe

description	ioc	process
File created	C:\Windows\__tmp_rar_sfx_access_check_240653703	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exemssecsvr.exe

description	pid	process	target process
PID 4848 wrote to memory of 2084	4848	rundll32.exe	rundll32.exe
PID 4848 wrote to memory of 2084	4848	rundll32.exe	rundll32.exe
PID 4848 wrote to memory of 2084	4848	rundll32.exe	rundll32.exe
PID 2084 wrote to memory of 3576	2084	rundll32.exe	mssecsvr.exe
PID 2084 wrote to memory of 3576	2084	rundll32.exe	mssecsvr.exe
PID 2084 wrote to memory of 3576	2084	rundll32.exe	mssecsvr.exe
PID 3576 wrote to memory of 4788	3576	mssecsvr.exe	tasksche.exe
PID 3576 wrote to memory of 4788	3576	mssecsvr.exe	tasksche.exe
PID 3576 wrote to memory of 4788	3576	mssecsvr.exe	tasksche.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2084

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3576

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4788

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
03e8741684a2ea2aa24bad8da574435e

SHA1
9cc3be4e47aa9f1df05c1fdb8d528cfd09b8b88c

SHA256
4128abf9efa8bca93aede9b4a44aab78fab27d634f4c9581c64fa54d3bb8993e

SHA512
ff6d7dcc2242f316e31b073a9f662ad6d7bc7c31c6eedfde75e1b16109a1f8c3c70e1de92ee67db62e0561572d53c118240a3a5ec2004c12ed1d54cc3aa693d5

Download Submit
C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
1ff321de9e6b8a865048789e18bb4232

SHA1
67a548cf33d086c224058ab30c631c04f5dad29d

SHA256
ead0300a439be8ea26abc28944d1d3eb3b111ba1b3cad76b3b0f00b26dadd97a

SHA512
ab57e6bdce2dd71c49affb8c093384e27d2cec6b4165a0089617098ac30ab00715e0251cc5f96f5710a74215c9eb8804113c177df7deef046d895ac733bba0bc

Download Submit