wannacry | b135b00a2fe9760f67568a7d7042448131cfb1d68d0623da3e63d08639acc8d7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f0c3e5447dda6358a9aed014419101f_JaffaCakes118.dll
Size

5.0MB
MD5

2f0c3e5447dda6358a9aed014419101f
SHA1

731d4f6869ab6911325f06dea14792a1b110e65b
SHA256

b135b00a2fe9760f67568a7d7042448131cfb1d68d0623da3e63d08639acc8d7
SHA512

de878ab90c071f57fa79d8e7f4d818007b7cb5012b6884104dd40e236d697806034048a284c4b29f01706f5a289d9de90ef276ce236c1f7313330c6c963c28cc
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593:TDqPe1Cxcxk3ZAEUadz

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3339) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3724 mssecsvc.exe
3456 mssecsvc.exe
3680 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3724	mssecsvc.exe
3456	mssecsvc.exe
3680	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4284 wrote to memory of 1792	4284	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 1792	4284	rundll32.exe	rundll32.exe
PID 4284 wrote to memory of 1792	4284	rundll32.exe	rundll32.exe
PID 1792 wrote to memory of 3724	1792	rundll32.exe	mssecsvc.exe
PID 1792 wrote to memory of 3724	1792	rundll32.exe	mssecsvc.exe
PID 1792 wrote to memory of 3724	1792	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f0c3e5447dda6358a9aed014419101f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f0c3e5447dda6358a9aed014419101f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1792

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3724

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3680

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
ab4a6a12d1cf1fa709169bc8ba745ec3

SHA1
31d613941c3c423f84b0f4a42b5d9dceff48de80

SHA256
1d38146bb62ba9cd712e2e2b1270c3aa8b9b058e47ca5ea2676180bece29720d

SHA512
52f04f11024c342a26d387399f952d0a48806696fe48907c7a5e1382ebe5a06853f04238fff10e6533578df1d1c4a28d369d3cf273e3c392ca87ca32b224629a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
51a89ab5f525c835119150ccf1941d63

SHA1
750308a2b4de02c48a8011e79831da0a0d8220ac

SHA256
fccecb609c53bf496d6ea5ce5a0b71ac8b44cd79d18542f34c3c2e9ff373c52d

SHA512
ef510528aef360c79bfd1965a124c8b33bae15103e6aed4b8971005a99994fcb341f4c3b291c4580e7895171afdf3255f4a54094dfcd468cc3b8a9d34dc0fd75

Download Submit