wannacry | e378b6b101c70ccb81701996c0e380fdb8074dd1407ad675bb07d412a3621f15

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68040c40015e7357bd0db761ddf9d28c_JaffaCakes118.dll
Size

5.0MB
MD5

68040c40015e7357bd0db761ddf9d28c
SHA1

b7bc45c9ef8aba2b877bea85b9da645eebde56d7
SHA256

e378b6b101c70ccb81701996c0e380fdb8074dd1407ad675bb07d412a3621f15
SHA512

98434b6b877363e7046993fa4339e450d4d1c6651ec73be4434ead7fb5c99f590ef727d596459f0212bddc3e8527479d4fee1e4ed594064c4b7331f988969cf4
SSDEEP

49152:SnAQqMSPbcBVthnvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBXhvxWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3167) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1160 mssecsvc.exe
3992 mssecsvc.exe
888 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1160	mssecsvc.exe
3992	mssecsvc.exe
888	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2256 wrote to memory of 1880	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 1880	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 1880	2256	rundll32.exe	rundll32.exe
PID 1880 wrote to memory of 1160	1880	rundll32.exe	mssecsvc.exe
PID 1880 wrote to memory of 1160	1880	rundll32.exe	mssecsvc.exe
PID 1880 wrote to memory of 1160	1880	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68040c40015e7357bd0db761ddf9d28c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68040c40015e7357bd0db761ddf9d28c_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1880

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1160

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:888

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
44b3a1156d668a0d3e62540ec144b1ea

SHA1
73c1f8d547c6994bda024176fbd07ec8f33bb76f

SHA256
a8e92f81d46cdd72411282a0573f87848676d7116846e2ee6ebebd2a7ee9da87

SHA512
a99a698b054c4eba7840a7ce23597dc6b8868569d44104828a583cd28bdc74d1876b766c7648a6411d299d862fea727aeb4f9ab364a5b5a1a512b779daa279ce

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7d1a1e425c3a214a649013d89e82d6b4

SHA1
b695fd52830c6124b1799d0ba0d256fbd786a2f7

SHA256
3743d8bb3d584eb76a7e74dcc199b2674a4dc77a72c9236e1f3ebc5eaf51c7d6

SHA512
ab939c536bf339a70dab35178fdb90919c98bc0e3bf7982380390a6b8bd769e120dff9406db781a852b9da1bcc998bfd6df5f46bb5e8b91621b87a69d436f79f

Download Submit