wannacry | dcbc1a2b1401cbe81037a3230c9eaffeaaf5d98d6fdb4913ef724b88b3fbfecb

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0138fdefbd033db002dd80f58d5c4746_JaffaCakes118.dll
Size

5.0MB
MD5

0138fdefbd033db002dd80f58d5c4746
SHA1

95437a1c99f6e6869961195530309851ad476d70
SHA256

dcbc1a2b1401cbe81037a3230c9eaffeaaf5d98d6fdb4913ef724b88b3fbfecb
SHA512

8b5d4c4ef5fa9cdd096188ab2fd97ba1e72d963ed974823ab82188d753fe15545d2dbce3b43c951317f62469e4b80ca914c7e2488b01f8a3d26a8c2a8bda5004
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593W:+DqPe1Cxcxk3ZAEUadzW

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2653) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2396 mssecsvc.exe
3936 mssecsvc.exe
628 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
2396	mssecsvc.exe
3936	mssecsvc.exe
628	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1936 wrote to memory of 3148	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 3148	1936	rundll32.exe	rundll32.exe
PID 1936 wrote to memory of 3148	1936	rundll32.exe	rundll32.exe
PID 3148 wrote to memory of 2396	3148	rundll32.exe	mssecsvc.exe
PID 3148 wrote to memory of 2396	3148	rundll32.exe	mssecsvc.exe
PID 3148 wrote to memory of 2396	3148	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0138fdefbd033db002dd80f58d5c4746_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0138fdefbd033db002dd80f58d5c4746_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3148

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2396

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:628

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
6cd7035ad95b883cec70dd0bb8c7be57

SHA1
a391321b8d1c9c4c52474c17b2fb2e3a8429f9dd

SHA256
60d743593e035097c9f630bf8321b77f841d9b96262ce04f96489508f52be1f1

SHA512
19c83b8a766d2487d0c7a494678125d090f4246f4cee7a475d092f164421e937cef99414845f9cc48ecb9aebc13f2b8defdddf83283e75eacc4a0a95b59c5583

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3324f5c69e80820e2ff666b6d363c456

SHA1
87b8cc74cd315e146de6486cbbbef213fdea930a

SHA256
e73c6b8ae883749cf482c1651c4fdc1442ab0c5f885ba6180dc35cdcebe0a86a

SHA512
ca16ce718e7cf7f08be01a2d40d26b83b703c4c27bec1e8aac9d5c51f88355b16b1a32e9f52ab3e32bf1e8160c4f9f8691abb9b76aad10cf862ebb93d8244b3d

Download Submit