wannacry | 397abd86ac6439477432185e74eb61e26601325eff5ae4471f5e63c847826464

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

132d93ae1cc1c7cbaed768c82cb24647_JaffaCakes118.dll
Size

5.0MB
MD5

132d93ae1cc1c7cbaed768c82cb24647
SHA1

e93f00ef621a278ce5f1c258e3684eaf3c2505f0
SHA256

397abd86ac6439477432185e74eb61e26601325eff5ae4471f5e63c847826464
SHA512

89f7ac829907a1e5dd26cb7987f134d56307dda979120016cc11adaa9b96e2933ee0d0093a015228fdecb33e9f38a1d188153f3bc5bf9ad8251105bfefabab1c
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kISX6SASk+RdhAAt/8uME7hNZtA0p+9Z:SnAQqMSPbcBVQej/f6SAARdhV3RllAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3368) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1696 mssecsvc.exe
3724 mssecsvc.exe
3684 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1696	mssecsvc.exe
3724	mssecsvc.exe
3684	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4380 wrote to memory of 320	4380	rundll32.exe	rundll32.exe
PID 4380 wrote to memory of 320	4380	rundll32.exe	rundll32.exe
PID 4380 wrote to memory of 320	4380	rundll32.exe	rundll32.exe
PID 320 wrote to memory of 1696	320	rundll32.exe	mssecsvc.exe
PID 320 wrote to memory of 1696	320	rundll32.exe	mssecsvc.exe
PID 320 wrote to memory of 1696	320	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\132d93ae1cc1c7cbaed768c82cb24647_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\132d93ae1cc1c7cbaed768c82cb24647_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:320

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1696

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3684

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
ea407fcc303ca2f27c412f9b63121012

SHA1
4dd169ec76e7452ab02d445f386a0276671a45ef

SHA256
fdeec88605bf3a5e2ec91af7ffd3e7f6d1897cdc1e97a5ae2af4d2fe90c897a4

SHA512
851873d6b8bb23f5bcabc90ab89f54e099693ae9ba35d0b43027a84ebb2b560675f49558f0b4181d2285a4edf71415179669472b592e906e297bc6597b38a541

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
31320b6f1508a422c1715bb296b7a1d1

SHA1
e5bc1632b530ef7420131ab49b75b287b66889b6

SHA256
89b026d3b7e5bc1762551955e086c4cb72667afba47f5554875ec7db142120dc

SHA512
9467f6c3ebefd44868b4355a35c7b5d65eb5b2484d90b04e2079a196848cdc2cf4737e20414338951277968d8bb39676c71ac30fb3bede2704773adc003f30d9

Download Submit