wannacry | e9cff5f99299ef3d6815db4e2f3d58a55be0b66ac0ab7a1fb6fcad31541351a8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d0052e957db640db952d6c54490080_JaffaCakes118.dll
Size

5.0MB
MD5

15d0052e957db640db952d6c54490080
SHA1

a87133dcf3d701ec0e693cab9d47666cd9333d87
SHA256

e9cff5f99299ef3d6815db4e2f3d58a55be0b66ac0ab7a1fb6fcad31541351a8
SHA512

11b08d73581b9403e506ec0804b4afef527bb100668c9c6a190f5bceedb9ba8ef14d4a4c41b86ea8482f2a82f025d456308c28c6a58748346286ae61ed37f637
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz662Ydq/:SnAQqMSPbcBVQej/1INR

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2932 mssecsvc.exe
4448 mssecsvc.exe
372 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2932	mssecsvc.exe
4448	mssecsvc.exe
372	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3380 wrote to memory of 1616	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 1616	3380	rundll32.exe	rundll32.exe
PID 3380 wrote to memory of 1616	3380	rundll32.exe	rundll32.exe
PID 1616 wrote to memory of 2932	1616	rundll32.exe	mssecsvc.exe
PID 1616 wrote to memory of 2932	1616	rundll32.exe	mssecsvc.exe
PID 1616 wrote to memory of 2932	1616	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15d0052e957db640db952d6c54490080_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15d0052e957db640db952d6c54490080_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1616

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:372

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
49ad63f2ce10ba785865ad8ee0ba515f

SHA1
5701c87ac35aef938dbb4e2546a8a59818eb3929

SHA256
f36e63e66ae9ff5d46b22006ddaba809adc8ac7c8137177b84973397a714dd5c

SHA512
01f9ba4061f968a91fb0713977fadae41e85c369f1fa7bbb4dd4458bdc58c41a62f3fd628d94d386c4986fb91d10204e6816250ddc280ae612d10d0e4eb227bf

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
6055c9a8d5adac5317ead81707b2f68a

SHA1
486ab8a40bcecb4340f12c9d7c4ed0e37121dd61

SHA256
182d74b62eb92e1b126572511abe2c0509543ea7392709bd701e0f5762ed1480

SHA512
ad1eb7da6c0f550e873dc5d00bf1c94c398475052e03e1bbcee7a983d82862539d69be40eab952bd173f1fc43e41e76b49d23b78ef77223b16002d770a3e250a

Download Submit