wannacry | 0084d35bd8e774e086f9510977bbdd5f062a6eb5aed88c18f89ad61bf3b295bf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37349963654abd9e66db2c0e8681243f_JaffaCakes118.dll
Size

5.0MB
MD5

37349963654abd9e66db2c0e8681243f
SHA1

0ad6c69abb62ca7686f244a8b244fb0266ea2b0a
SHA256

0084d35bd8e774e086f9510977bbdd5f062a6eb5aed88c18f89ad61bf3b295bf
SHA512

a424f3c90714dc5fb794e9443adcebb8b8954fd1175abf72c3aa7bc58386a38035e39c55c8b1882f644821a72b48cb46246d54d33b75d57b7d154f63a41f9bd6
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAI93R8yAVp2H:+DqPe1Cxcxk3ZAuR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3332) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2764 mssecsvc.exe
4076 mssecsvc.exe
228 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
2764	mssecsvc.exe
4076	mssecsvc.exe
228	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1812 wrote to memory of 848	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 848	1812	rundll32.exe	rundll32.exe
PID 1812 wrote to memory of 848	1812	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 2764	848	rundll32.exe	mssecsvc.exe
PID 848 wrote to memory of 2764	848	rundll32.exe	mssecsvc.exe
PID 848 wrote to memory of 2764	848	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\37349963654abd9e66db2c0e8681243f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\37349963654abd9e66db2c0e8681243f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:848

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2764

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:228

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d87f9fd9a5f72e97d2e47c8d2c64f53e

SHA1
7660e0be196d0e07a6c1adb4015d94e5c2260f2d

SHA256
43dbf7121a7a55754e0bb0fc9e0e28a9fde79dc7d2004299241c9bebc6246111

SHA512
0957f79e99006b4ff010dfed8258adff5d302fffc03801cf68d36a3a02da5b85bfc18f01745a9ee4d1927fbfc125579b2421621ef3a75769faab04297abdb567

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
866ec34a1bf2f8d9b3b81dafd9358ec6

SHA1
3b16d2936a026d7ebfa248018efcb6f20ac58fa7

SHA256
93969c25814c00bb00911c3b75636c39af13601baeb208d073051ef5858c40fc

SHA512
16c47fc0904e3ef9fa5519c0443e0d723904d04ad3482c06e70fcb072fa0a674ef16479f1e45c0e693fec7f51ef9c0607f25843b38899eb885d2b2760e4f8c6d

Download Submit