wannacry | b21afd7e789cabc476f4b371b53ea9b58f60fc4a6b9cdd900a3e66c2d22cafae

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6778f5c54d5906dfde09a8d37fa7537d_JaffaCakes118.dll
Size

5.0MB
MD5

6778f5c54d5906dfde09a8d37fa7537d
SHA1

77c32c465392264a8b5ac49b1d4665d47e26d87b
SHA256

b21afd7e789cabc476f4b371b53ea9b58f60fc4a6b9cdd900a3e66c2d22cafae
SHA512

9e4f03690a494119060f13f476e76dade5f4cbd052d9bc873be837e7aa74067c10568f7e3ece8a0baaf400f5a798ed74f9aae5a62be547abf8754a2c8a32d4ed
SSDEEP

49152:SnAQXMShacBVe/1INRx+TSqTdX1HkQo6SAARdhnv/Eau3RZAH:+DXhfBQ1aRxcSUDk36SAEdhvW3RiH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 2 IoCs

pid	Process
4796	mssecsvc.exe
3120	mssecsvc.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 3948	4032	rundll32.exe	85
PID 4032 wrote to memory of 3948	4032	rundll32.exe	85
PID 4032 wrote to memory of 3948	4032	rundll32.exe	85
PID 3948 wrote to memory of 4796	3948	rundll32.exe	86
PID 3948 wrote to memory of 4796	3948	rundll32.exe	86
PID 3948 wrote to memory of 4796	3948	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6778f5c54d5906dfde09a8d37fa7537d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6778f5c54d5906dfde09a8d37fa7537d_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4796

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
55080d7d11f67cfa57b37d6e69e79387

SHA1
22a09e9f793c5ad7affefab60c98d3758821c4a3

SHA256
edf132b59e8536178369a7f7383bba37248d90ad5eefbc6c3001ee68554514d6

SHA512
7116e86539844e2e279a3b22bd67ac7759dc9dc2f1d1f35a79466a4b53568d381bdff491809e80c126df23b08c529a0f4b4dcf88aea3b0426756a9a062b22e33

Download Submit