wannacry | 8fdc2a142fcc96b6f6f39387f78abb2b8705014102ccb91e9df60fe761a4cb12

Analysis

max time kernel
25s
max time network
31s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-04-2024 15:00

Target

01028b2b86548e8c91fc9db5aca4cad2_JaffaCakes118.dll
Size

5.0MB
MD5

01028b2b86548e8c91fc9db5aca4cad2
SHA1

bb55d2c339fc64ae823e9025bae6579e23fd895a
SHA256

9e7ccdb8b108976057d14f9c2074bf8366d9533ebc58c607ff8976693455df65
SHA512

77da67ea8c0265af3ff5f3323f0a0fab02feb275e4578f1e09a50f4bdc1623313d3e9850e5933c6e4d0b7adb343b1969a82d16e2d7597f3eb28263a1f4707fea
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLTkRiwDnz9cEA5yYSZxN0:SnAQqMSPbcBVQej/1INnkRiwt/Zx+

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4724 mssecsvc.exe
4408 mssecsvc.exe
5032 tasksche.exe

Drops file in System32 directory 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4624 wrote to memory of 1144	4624	rundll32.exe	rundll32.exe
PID 4624 wrote to memory of 1144	4624	rundll32.exe	rundll32.exe
PID 4624 wrote to memory of 1144	4624	rundll32.exe	rundll32.exe
PID 1144 wrote to memory of 4724	1144	rundll32.exe	mssecsvc.exe
PID 1144 wrote to memory of 4724	1144	rundll32.exe	mssecsvc.exe
PID 1144 wrote to memory of 4724	1144	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01028b2b86548e8c91fc9db5aca4cad2_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:5032

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
35ead6ca4022338cded8ce1a82b249af

SHA1
3fe41cabc566b24fdcfb096d93a4fce82eb0cdb1

SHA256
fab3613a72427bb1c0a34860849ea8da53ae19564c1715ceeeb0e12ecb407d5c

SHA512
850f13ed713551d1ff1a4cda7d2101476c5490a4d68c931974813409090290eaee244b829f8d3a05345ace871fe285f66505d52d5f6787de1f09f9fec04b9d47

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
6d6ff7e1d9ec40890b49efeb78d35f88

SHA1
aaec19fb5d7546204455506b4c8eca66f1409794

SHA256
82efe3dccc13aa9259c043aae7ec695391828ca65f80f742e4fab22fc8d186a5

SHA512
0574dcd16ea835d2530486778dbdcaa217047fa3ea21da4c83c8bddc7c43529d1b204a9eceb3fee34d58e1b56052791ae8742924a9ceba9b525c1576efbaf434

Download Submit