wannacry | f37ea72f42c0f96a9a638a61dc80ea56cba6e416f08a6d66995d3414010d419d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32d9c2457554ed6c883eec0a7c5228a1_JaffaCakes118.dll
Size

5.0MB
MD5

32d9c2457554ed6c883eec0a7c5228a1
SHA1

68f6e1fe94e61e71d5125de5f24f5473726d0092
SHA256

f37ea72f42c0f96a9a638a61dc80ea56cba6e416f08a6d66995d3414010d419d
SHA512

4f6576ef0e88a69a57c44a13ea91d45718963e1fc5b14ac487f4c6fb6dc9b7337d86b6d25fdc51e9dae306d81d908b60ebb5b94ca5cdd5886a86b17d9c7b6232
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEys+593R8yAVp2H:TDqPe1Cxcxk3ZAECzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3373) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4160 mssecsvc.exe
624 mssecsvc.exe
5004 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4160	mssecsvc.exe
624	mssecsvc.exe
5004	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1080 wrote to memory of 960	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 960	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 960	1080	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 4160	960	rundll32.exe	mssecsvc.exe
PID 960 wrote to memory of 4160	960	rundll32.exe	mssecsvc.exe
PID 960 wrote to memory of 4160	960	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32d9c2457554ed6c883eec0a7c5228a1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\32d9c2457554ed6c883eec0a7c5228a1_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:960

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4160

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:5004

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
c9df0c59d8d62f3cad3abf93a0ac0302

SHA1
abb093c67c498f1fb1fa9adc179163a16595003c

SHA256
fd4dee52b9b3d1f88da60f9afd9d5898b7aca5350449bad83ad9decd8ab2b8b0

SHA512
1f577aa1d654f1f6a3de20fbe35aa4c14c108286b129c8d9443d9f167a219b54e774cf02de42ef9d1851d740792a11a634e6dd9bf1bdd9fa533fa150f994ec4a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
cfcfde8965410063a68b7f638bb0f766

SHA1
f152c2d9be199932b5f65bc815f3411da1b9e10c

SHA256
3aacdf6cccc1d9d3bf5a99d328705c04d2fcce4557e06ac4494243c81b1da350

SHA512
1f9ac9a9ebc1a794e7e30463272420858d1186da44edda882927dbc2cbd45a4585350953fbfa5ae53ab552d8901609257f7e973d1f89ae7ffa9bb5f97ca346ff

Download Submit