wannacry | ff74d29ec91885d27016c0057a576c092dcaec22501c1028c77cccb918f7abce

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3109b65e8686e4baa0113616a10993f3_JaffaCakes118.dll
Size

5.0MB
MD5

3109b65e8686e4baa0113616a10993f3
SHA1

2398716f9106b2fba069b3f9ed9607fbb211efe7
SHA256

ff74d29ec91885d27016c0057a576c092dcaec22501c1028c77cccb918f7abce
SHA512

013db95bfa715d03c829f9b8b278221013da3d48dca06e92b97addd37288dcc14199312bb0a250ef25c4f9ca258f9453d7142c9fb8f5fd3c112ee431188ebda1
SSDEEP

49152:SnAQqMSPbcBVqhnvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBQhvxWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2720 mssecsvc.exe
2888 mssecsvc.exe
3424 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
2720	mssecsvc.exe
2888	mssecsvc.exe
3424	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5084 wrote to memory of 5080	5084	rundll32.exe	rundll32.exe
PID 5084 wrote to memory of 5080	5084	rundll32.exe	rundll32.exe
PID 5084 wrote to memory of 5080	5084	rundll32.exe	rundll32.exe
PID 5080 wrote to memory of 2720	5080	rundll32.exe	mssecsvc.exe
PID 5080 wrote to memory of 2720	5080	rundll32.exe	mssecsvc.exe
PID 5080 wrote to memory of 2720	5080	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3109b65e8686e4baa0113616a10993f3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3109b65e8686e4baa0113616a10993f3_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5080

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3424

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
4b64ed19eba723d7fd0f27b7456e463d

SHA1
e218b7fd95809c00baaae98d880773b2052b601e

SHA256
c1891202395b193c6bf77053101d34dd3c0f496c7f3c694f7611d6bbee2e1d98

SHA512
c52d1025237ac6d49ffedcab6b84b51fac90c4f82c76e62216efe2e9c227ba775912a32e3a8a47738868c5f8fedfeac88cb5e87b5e4e29262acb64784a61a51b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
0704028bbfb9be0fcc1b3a636e0407a9

SHA1
2fab42fc578a27f9b27412cc72226bcd59846cad

SHA256
a2884390164fbb65b90bf147c7d8de49943a447a0c0edd61da6e494fdd062318

SHA512
c362f3adc8b58561208eae7456312bc5544a23bd2b7ec13fa15de95fcab7ff038b20f983c534d653131de411246851e3dba1715f5305a0afb681f4c9c804fc62

Download Submit