wannacry | 06cc1cf5c6f98e91d17ce4b86ecc78b5dab56130198235d5ebd956ad4e2980a1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4df03efd1558eaeee19808c9f133b61e_JaffaCakes118.dll
Size

5.0MB
MD5

4df03efd1558eaeee19808c9f133b61e
SHA1

5f018de1b021226428135af117f492996cee5d6e
SHA256

06cc1cf5c6f98e91d17ce4b86ecc78b5dab56130198235d5ebd956ad4e2980a1
SHA512

798a0b2beedea2bb944001c31fe38de1c700958f92dc0bf8a0ca18cc229f7341a42cf0526c408cbf90a14338224255495da0d0094626999272820d1eca288bf9
SSDEEP

6144:yE9l9yUqIYVTH5DgSg8ajldktM0XXrP2QhMV9qbBLIwYQuy8:yvbLgPlu+QhMbaIMu

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3336) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4564 mssecsvc.exe
3200 mssecsvc.exe
1764 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4564	mssecsvc.exe
3200	mssecsvc.exe
1764	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2004 wrote to memory of 3872	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 3872	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 3872	2004	rundll32.exe	rundll32.exe
PID 3872 wrote to memory of 4564	3872	rundll32.exe	mssecsvc.exe
PID 3872 wrote to memory of 4564	3872	rundll32.exe	mssecsvc.exe
PID 3872 wrote to memory of 4564	3872	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4df03efd1558eaeee19808c9f133b61e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4df03efd1558eaeee19808c9f133b61e_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3872

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4564

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1764

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b6a79236c888b3710beb1bd8bfde513b

SHA1
896f70487c06d860b20f463d21298ffb880adbfc

SHA256
ae1bd2bebc2479cecc03d7eebfb93e3e0d9a02fcfd7ff27b3ad7baf1739af822

SHA512
0695d764afde66e35b243588b4bf3e6c93a01d6ed73e0c3200a54cc422572a24faa1ffd7d2a1efb26a8c9a088390493d3bf0eabb748160d04c297c1e142ea1ab

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
d835fb84413ab5980a8c6c240102589c

SHA1
b16a433200c9b31d6e96080040546d8e504bcee1

SHA256
62c8e06fc684d111157886a85bbd934e64bfa8607b9ec53d362bfa9520c939b8

SHA512
a9994016cdf027b8512877f7c565b6e7efb3bc9e09e2b85af09fb462607bb70f9ee68c793d1bde9cedea6b1d1e8bb3e96298cce902c598e703113c2274fb2538

Download Submit