wannacry | 89d54bd2f03dcdc4703e8b457edc8559e74c9eb56a0fe0c18eb4b7c2c0367f4b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll
Size

5.0MB
MD5

2fe3b52fc337d3a1a1cdca0f48f46773
SHA1

f8e4e3df09e914f104fb7f64d4cdf2c6d0e9a76b
SHA256

89d54bd2f03dcdc4703e8b457edc8559e74c9eb56a0fe0c18eb4b7c2c0367f4b
SHA512

f51102d052b9ce4c4d78139d5cfa1e35fc5427c7e8af8380a839f875a60bd8ecc63f2150e7fd6b910321fd57ea2fac0ea39330c759838259ac709ec1756c54b9
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593ip2H:+DqPe1Cxcxk3ZAEUadzi4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3214) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3228 mssecsvc.exe
324 mssecsvc.exe
384 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3228	mssecsvc.exe
324	mssecsvc.exe
384	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1672 wrote to memory of 844	1672	rundll32.exe	rundll32.exe
PID 1672 wrote to memory of 844	1672	rundll32.exe	rundll32.exe
PID 1672 wrote to memory of 844	1672	rundll32.exe	rundll32.exe
PID 844 wrote to memory of 3228	844	rundll32.exe	mssecsvc.exe
PID 844 wrote to memory of 3228	844	rundll32.exe	mssecsvc.exe
PID 844 wrote to memory of 3228	844	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:844

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3228

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:384

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
d9dce092aed3030e2a500f8c6b1d892e

SHA1
6829f556957c3d54c6c9b6342339d2a72bafda72

SHA256
490b71b9d0552dc07ee5d57aef16ee95c4d61e8126a59065f83fa6d739493dfd

SHA512
495f3735246d700dc4fbf33be3a77f03916d9d8e4e6aa00d4d387fcd91eb4c7ddd9a7d07979f5476dc8f0d70cdc7fb3e48c7370ef4f454420ae930bb7d97ddb8

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
706fb84b80387399862b77592a003faf

SHA1
fcdff5d4e29f7d4aca362afe53554309f4106f4c

SHA256
ff8b504e2c6b1e62693f64f39b2fd9ac5c3e0d33c54cab137f0465d3e22f2a91

SHA512
55219a69ce37eb2c219dae7940f9a2b936b46333529ac4618a72dd29aaa580b1506d3e8734a1c3d8f38c65509f7f80647747321313ca74c61f05de8dedf3731d

Download Submit