wannacry | 543b7b9393bd9202177b9ab87b27351818c8ad497a4c98eac678cb893f2a66b0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll
Size

5.0MB
MD5

2e81b88e80f28aec66d7cd5133ecc2f9
SHA1

94035e850ee7a618473d53c2f592895f654600b0
SHA256

543b7b9393bd9202177b9ab87b27351818c8ad497a4c98eac678cb893f2a66b0
SHA512

9d94bc5d0a1d685c06d1bd4eed74fb0f47c8de65b71bbd010e93f708f8d8e9214e27697d35a5ce3c91e610a192d6f68f327477a7e3abb80d5e2104a0b27ade72
SSDEEP

98304:+DqPoB5xcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPGxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3237) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4408 mssecsvc.exe
5032 mssecsvc.exe
908 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4408	mssecsvc.exe
5032	mssecsvc.exe
908	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 60 wrote to memory of 5036	60	rundll32.exe	rundll32.exe
PID 60 wrote to memory of 5036	60	rundll32.exe	rundll32.exe
PID 60 wrote to memory of 5036	60	rundll32.exe	rundll32.exe
PID 5036 wrote to memory of 4408	5036	rundll32.exe	mssecsvc.exe
PID 5036 wrote to memory of 4408	5036	rundll32.exe	mssecsvc.exe
PID 5036 wrote to memory of 4408	5036	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5036

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4408

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:908

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
8f7cb9b5f1ee6834427ce656255ba45c

SHA1
7fa33d93126aeef2c30659dc83d5aeaaf1aa0e49

SHA256
760417e8a56f54d22ed1dbd170dd33868a0c332d197b1c16fe47b89269528717

SHA512
d7a3d574fecb7e45b7d82d53f22c45e20179c6d7aa0d2eb0970380a8188f369a2c0214aa76bf66128f315a7d3365a0189ca940929bc9580a3e3db01c07cb0835

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
618f30960ee31b3f9433b9b994786487

SHA1
3b5b43220ab723eb7f9aaa5c9a2b542ee07ec07d

SHA256
b28dca71a461f588bc8ccbe32831c9750864c6c20c8ead15027d43e0242efa9e

SHA512
46b892cf875df79750b9fa996ce4484bfdd4cc21a8850b0ea5b31a008fcd276f2d52523ac5534d416a434120c9ded1bc78edaf5b72a23f5f71331af2142ab39a

Download Submit