wannacry | b29dfbe67e3703210820554e11cb2704e731117ba69ec2a45488816b1b46a088

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c2f910e67c719b5a9b58c19a85409e1_JaffaCakes118.dll
Size

5.0MB
MD5

2c2f910e67c719b5a9b58c19a85409e1
SHA1

0de249d9881bd73288680c784c7471bbbad4850c
SHA256

b29dfbe67e3703210820554e11cb2704e731117ba69ec2a45488816b1b46a088
SHA512

df8e701143ec8b1d832a3309f01e0a320a21a78ebd33ed34f25bad8a905c29f734469e0b1b14780b2e7beb9b8238001ec447b6511164ccc448ecc0ee915e0af8
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593iH:+DqPe1Cxcxk3ZAEUadziH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3256) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3092 mssecsvc.exe
1996 mssecsvc.exe
2816 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3092	mssecsvc.exe
1996	mssecsvc.exe
2816	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5052 wrote to memory of 3620	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 3620	5052	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 3620	5052	rundll32.exe	rundll32.exe
PID 3620 wrote to memory of 3092	3620	rundll32.exe	mssecsvc.exe
PID 3620 wrote to memory of 3092	3620	rundll32.exe	mssecsvc.exe
PID 3620 wrote to memory of 3092	3620	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c2f910e67c719b5a9b58c19a85409e1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c2f910e67c719b5a9b58c19a85409e1_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3620

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3092

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2816

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a0a2cbcbe38bb69813f79a5314958c40

SHA1
a5d2df98e071995fb4430b606b3209612f30127a

SHA256
a15b2406a8955fcabdbf929ccf7163155722205123fd6c064483c00f38ddc6f1

SHA512
91303fed6e4e18e6788853df29556b0f61070026f34ca680f65d74279134ecfd7e8b5ba3e3f97e6b0e7fddfdb98dcbd387632ca911afca1ce8c4144adc118999

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
e937be60cf696dce4fa2865ae1db0e24

SHA1
762513be11487add747ca26c73feadeff548939f

SHA256
48cad3f1d3384b6355d39ca3a459d84d36c7b406487df57bea5175d767c48044

SHA512
3992a7034a7ab933d0d223934d9c1e39c37b207ef27190f0b48a42e014a03dc4081e35b87d4dd15a3736940e93eadadddad8ee92aef3f84897e5306d33eed00e

Download Submit