wannacry | 55828142644029337c9cab5259f570e754baba5a7143181d4626a93436c77f41

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa1a6affa793ce0a954193b53d84f82_JaffaCakes118.dll
Size

5.0MB
MD5

2fa1a6affa793ce0a954193b53d84f82
SHA1

6a15bb42c3d51011ba2a734e8d165ee0d283b8c3
SHA256

55828142644029337c9cab5259f570e754baba5a7143181d4626a93436c77f41
SHA512

a62769e92257937a4915bcb5c16e975564a76e34f1d555eb90288a64981730d482f94ad37f28eeef632fd462e9f58aa929dfb2cc27de9179c340b15421c8a7eb
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0styg3B1jaATc:+DqPoBhz1aRxcSUDk36SAEdhvxWTHa

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1136 mssecsvc.exe
4992 mssecsvc.exe
2732 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1136	mssecsvc.exe
4992	mssecsvc.exe
2732	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2188 wrote to memory of 464	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 464	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 464	2188	rundll32.exe	rundll32.exe
PID 464 wrote to memory of 1136	464	rundll32.exe	mssecsvc.exe
PID 464 wrote to memory of 1136	464	rundll32.exe	mssecsvc.exe
PID 464 wrote to memory of 1136	464	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa1a6affa793ce0a954193b53d84f82_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa1a6affa793ce0a954193b53d84f82_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:464

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1136

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2732

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
b312269c7e699141551b7e844e32cd84

SHA1
59764e99605cd9e6cee9430ac074b9cb11e6f4f8

SHA256
06ba819e39a07e5748383ca32587f0634858f395ada5f5413140da0e56bae168

SHA512
9487c53ee9a6eb7887701014930017d37af5c5db282d541374d448f3124e4257d47739335ab66f4c527cd358a90c096235da3cbb5a5f617e56930233cbaf6c82

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
d57254187d87e8b92b561f0e17cb1de5

SHA1
fac778cfb39eb034bf13ceb8f7dcda3cd7f8be46

SHA256
730309041fa07c19194be5bb878be0cdeace11e0c5bfcf3f24c773b9ec5d32a8

SHA512
771db357430a476769d3436d60687ecb2e5b387f1b216ba452ab9cc23792b70a24181b819f2f78723107023f0da6ee16d383d9de3309abd0d22e65a674022354

Download Submit