wannacry | 0f9060ba65a98d39a9b4c1ebb20b9792a45a553bf94e04fe218abe7bfc7db336

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f57d4d7c53e14dd87a88bbe181d9d00_JaffaCakes118.dll
Size

5.0MB
MD5

5f57d4d7c53e14dd87a88bbe181d9d00
SHA1

143026c0bd482834da35f214542070b05a0dbcba
SHA256

0f9060ba65a98d39a9b4c1ebb20b9792a45a553bf94e04fe218abe7bfc7db336
SHA512

0f529ceb51fba1588654632e2b52832fe9e0b7ba70d0239ca63bbc616206bd4b8fff5d921fb672dfc1dd38195931dccd95db0ec3155ce7167006e084439ed2c4
SSDEEP

24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8ki:znAQqMSPbcBVQej/

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3338) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1184 mssecsvc.exe
4100 mssecsvc.exe
1788 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1184	mssecsvc.exe
4100	mssecsvc.exe
1788	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4400 wrote to memory of 2744	4400	rundll32.exe	rundll32.exe
PID 4400 wrote to memory of 2744	4400	rundll32.exe	rundll32.exe
PID 4400 wrote to memory of 2744	4400	rundll32.exe	rundll32.exe
PID 2744 wrote to memory of 1184	2744	rundll32.exe	mssecsvc.exe
PID 2744 wrote to memory of 1184	2744	rundll32.exe	mssecsvc.exe
PID 2744 wrote to memory of 1184	2744	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f57d4d7c53e14dd87a88bbe181d9d00_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f57d4d7c53e14dd87a88bbe181d9d00_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2744

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1788

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
c769f5df594e21e5b8a9e2d7177b3e29

SHA1
71dcf900b2134cf5c4c4839c6904c99b5cd26722

SHA256
709b00ef860a1f694789d343de09c632b6323e45d0b5cd563c7d25acceb3b022

SHA512
088cf56800e48d77de3c72efd866778bd139b652a822d4134853b2ec21cf8d3450a0c7acc794f0187924522b114ad0d15e369396887d683d4b8470000bab18e8

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
385c31ff3c59303ab6dedfe447bc969e

SHA1
65497f515c2d7b225926479bd3b3f748d0e89254

SHA256
c038735b7270f0a504d84522b9e5e133b4472230b3b0380f30863bfcf6d78d1f

SHA512
2ed7b20c6042c33c68933a203025e0f10aa02d1a887f2506cd3d4a710f70e52f84eb6d10f42241ed50b4bd17f21cf4171e925f125aa87a7d10e056dc1d6c9976

Download Submit