wannacry | 4d29758ba37b2e04b17ced84f9662b2afe2ea2a0253c344fa2ae2cc519812abf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll
Size

5.0MB
MD5

03096422415d2c4c983d39eb6b290145
SHA1

97f3e8e2eee42c0016e4483ed291cac4aab1fce7
SHA256

4d29758ba37b2e04b17ced84f9662b2afe2ea2a0253c344fa2ae2cc519812abf
SHA512

77ae845aa662d8f9ecdee86fda1002ebbf5c851580a1365e01d385f87a25f5e2dff471645a426779ffe0002a1196165bffcb1a6b0a38e1a463993a6188a95c96
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3185) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4344 mssecsvc.exe
4104 mssecsvc.exe
364 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
4344	mssecsvc.exe
4104	mssecsvc.exe
364	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2764 wrote to memory of 2712	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 2712	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 2712	2764	rundll32.exe	rundll32.exe
PID 2712 wrote to memory of 4344	2712	rundll32.exe	mssecsvc.exe
PID 2712 wrote to memory of 4344	2712	rundll32.exe	mssecsvc.exe
PID 2712 wrote to memory of 4344	2712	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2712

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4344

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:364

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
963c866614ab00596a3a335e0ea85f53

SHA1
9a3e2f950acb6b8cc1b44d4c254d4c4f0668a944

SHA256
16ebb03232914b826b48b00c8231ed80fa83fbe6e76afc864c55e33d47b94181

SHA512
942976c5c6ffee5d0cb80a2f10d531a3daebf9e51fc8f8e8c7886aef8012ceed9d6cd9cd92a1920c81555b87e970d122734bb09558a5e7259c2f983c3771f06d

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
49ebfd1f74d61f1addfd4a03ae277198

SHA1
64981e9feef4244c7d5b583cf8caa0043327e1c4

SHA256
7428842afbd1d547e28a861d9c00704ea0d9e891140666ae1867766d96f63559

SHA512
8679a4ad2ef64b32bf13c57a9957e069acd44a95c09f755a0d25281b0dfdd89eb18ba8fb53efa49f9035c0a5eecde4c2ffcfd7093186d23b0fb07dca25394222

Download Submit