wannacry | 435afbf193eaa6ba5a2718bce0b707b3b548345fac3c7b941c66502202fb43ca

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b3412cf9da09f48a57e6ee6f4ef2596_JaffaCakes118.dll
Size

5.0MB
MD5

5b3412cf9da09f48a57e6ee6f4ef2596
SHA1

868d04b8ddee6565350620c734cb100d97095f68
SHA256

435afbf193eaa6ba5a2718bce0b707b3b548345fac3c7b941c66502202fb43ca
SHA512

91f3df2ba689fec90dbf096e770a889ec36dc94c5d3663bdecc3c9e9064f1596a0d823cab83987bf20b6a0d6e8eda9d849d387e3a2d35b8c35a877886f3cc9f9
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593Y:TDqPe1Cxcxk3ZAEUadzY

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3319) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2972 mssecsvc.exe
4380 mssecsvc.exe
3084 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2972	mssecsvc.exe
4380	mssecsvc.exe
3084	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4920 wrote to memory of 2572	4920	rundll32.exe	rundll32.exe
PID 4920 wrote to memory of 2572	4920	rundll32.exe	rundll32.exe
PID 4920 wrote to memory of 2572	4920	rundll32.exe	rundll32.exe
PID 2572 wrote to memory of 2972	2572	rundll32.exe	mssecsvc.exe
PID 2572 wrote to memory of 2972	2572	rundll32.exe	mssecsvc.exe
PID 2572 wrote to memory of 2972	2572	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b3412cf9da09f48a57e6ee6f4ef2596_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5b3412cf9da09f48a57e6ee6f4ef2596_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2572

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2972

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3084

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
9bf9e8f8a52c974c40852b3040647b42

SHA1
ce185b9756b05fd5fb8949b400291d148472d037

SHA256
8376b88ef7462681ba76b80f47004d477eebe6360b2cc97a191cccf9763e5661

SHA512
f5e5a2ed73c474fab761fcd17da745a2cfb7ababb2aff9b17eeecfc3946398ff0ad71ebf613928bf4b1f88240b268688c82e7f3f7bf2fbadb43567e101874793

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
6766b2c84517f32b7b4e855663693601

SHA1
829f8e75eb3da162c8ce48bed80bbc7dfeba63de

SHA256
102136b8ac96b5edf4b0450a734e24b850b51e8f3dafd347d5b85bb202a29b2a

SHA512
0f302cd516aa838cd3103ec71e1584995548a1115c87f28d736ff526ccfab16359ebd1ce31d1707e4fbdb7a649f4f35cb4dd9f4c5dc380f2a1540750cea43577

Download Submit