wannacry | 8d764975d177f564eded856e9216f0ed154042a6dae2b7a81acdd326c26dbea5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32b3efdf648ce7883be0f968f0c9ff52_JaffaCakes118.dll
Size

5.0MB
MD5

32b3efdf648ce7883be0f968f0c9ff52
SHA1

00275d760562de465266baa81d8f08e18f9931fc
SHA256

8d764975d177f564eded856e9216f0ed154042a6dae2b7a81acdd326c26dbea5
SHA512

653708979bc20187cef928f0c2710c69dd6f5e47aea0ab88d468242514c740564cd63985927aa4fad693ae17d83839dfbc9cb254db03769f08ff712e4fc8e784
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3288) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3644 mssecsvc.exe
3272 mssecsvc.exe
4584 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3644	mssecsvc.exe
3272	mssecsvc.exe
4584	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3956 wrote to memory of 3408	3956	rundll32.exe	rundll32.exe
PID 3956 wrote to memory of 3408	3956	rundll32.exe	rundll32.exe
PID 3956 wrote to memory of 3408	3956	rundll32.exe	rundll32.exe
PID 3408 wrote to memory of 3644	3408	rundll32.exe	mssecsvc.exe
PID 3408 wrote to memory of 3644	3408	rundll32.exe	mssecsvc.exe
PID 3408 wrote to memory of 3644	3408	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32b3efdf648ce7883be0f968f0c9ff52_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32b3efdf648ce7883be0f968f0c9ff52_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3408

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3644

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4584

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
22785c60f359a179c47fd348823876df

SHA1
a60b6cb653f67269b6060982857ecc1454f8738c

SHA256
d8ca1e199c6db534860f595f4728cdc0138e3553654cc897e4a0ae03c27eedcf

SHA512
534bf505f36673d9e23c4bea08d3e25b3e4325fa9efdaf16c6bba5570ca58ea35b8a053b04814d0054c708f234fd2dddb0224016f4f31b0d3987a2d8f5c66fe4

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
29c65c871d14c5f61092a6214e922507

SHA1
c2e8769007f97c1a79e44d07924211228f2bb912

SHA256
f84aa4eb7458846c58ac129227b9c1838757ed2ac3a801e4041585ce576fedec

SHA512
8cec670bc4142dd175fb8e20745a2011ddfa4332b1efbd6984aeef4827fd2c2669c2862c40059c09dddd6a446dd22916c97730c17c39a09c67ce992517c097b0

Download Submit