wannacry | dc32d813ad214630bb37766a2b152e9956b3aa234c225c8685d9fc8086560ed7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

318d242361e7d8f331de4d54c200ee62_JaffaCakes118.dll
Size

5.0MB
MD5

318d242361e7d8f331de4d54c200ee62
SHA1

acbfdb7e880d112534d107683410f8649753aebe
SHA256

dc32d813ad214630bb37766a2b152e9956b3aa234c225c8685d9fc8086560ed7
SHA512

b72b42edab5083e0d76f12f2cd74bf8ff192decb318e17c205d77696637fd3f32bd4434dcaa6013f46189d7863dabed94b2237f4c2a180d6d9f2c26ef36f923d
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp:+DqPe1Cxcxk3ZAEUadzR8yc

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3373) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2968 mssecsvc.exe
4624 mssecsvc.exe
2300 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2968	mssecsvc.exe
4624	mssecsvc.exe
2300	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5012 wrote to memory of 1564	5012	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 1564	5012	rundll32.exe	rundll32.exe
PID 5012 wrote to memory of 1564	5012	rundll32.exe	rundll32.exe
PID 1564 wrote to memory of 2968	1564	rundll32.exe	mssecsvc.exe
PID 1564 wrote to memory of 2968	1564	rundll32.exe	mssecsvc.exe
PID 1564 wrote to memory of 2968	1564	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\318d242361e7d8f331de4d54c200ee62_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\318d242361e7d8f331de4d54c200ee62_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2968

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2300

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
50157ef9512104f26b1945991fba273b

SHA1
87040bf3c9d15a6d211f7ff156978acd9b92704e

SHA256
17b68f8b52c9d0eac70c02e938a6423849379c281e0ff992970f3cbf62d55117

SHA512
10d9df25603256ac6a9b855df400875864ee40075d6823674fa9bd1e9c19ef58acc417e6fb53d39912c7e3190f50f046c785186602435cd4f66b5147e90fbd7f

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
bf497822791ced8502e8e538a151bec8

SHA1
02401a4c315cc8edfdda20f320cd27a6fd8c4464

SHA256
208ebf46de7d3e46daf6e57c6a442bfb86538decc9de1db80dbe6c544a8ea862

SHA512
af309545278acf8868d818ec1607ee426c7bd4acd3682cd7ab7ab731b560b571154dde9244437640cf7a49822ae584e0a006d3816b39aa5f064a5d2366c284fe

Download Submit