wannacry | 87ba3542b2055ab6223f8d9178b1d624406782f607f7a35a02a16272485ba01a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 07:40

Target

7148c1cc72f9108fd46ca44743ec20cd_JaffaCakes118.dll
Size

5.0MB
MD5

7148c1cc72f9108fd46ca44743ec20cd
SHA1

db062fd223246c5398b9d16908c77d88d568cec1
SHA256

87ba3542b2055ab6223f8d9178b1d624406782f607f7a35a02a16272485ba01a
SHA512

ad5443c3ea298fe47a299ce7bf23927005e427d0a1b6c480fa8377ad9a04ce9f687bc85bec9f51ad091abc88bfc761450a2de24148649dffd880e1a07c832991
SSDEEP

24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTP:znAQqMSPbcBVQej/1INRx+TSqT

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3329) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2924 mssecsvc.exe
4528 mssecsvc.exe
5036 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2016 wrote to memory of 3244	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 3244	2016	rundll32.exe	rundll32.exe
PID 2016 wrote to memory of 3244	2016	rundll32.exe	rundll32.exe
PID 3244 wrote to memory of 2924	3244	rundll32.exe	mssecsvc.exe
PID 3244 wrote to memory of 2924	3244	rundll32.exe	mssecsvc.exe
PID 3244 wrote to memory of 2924	3244	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7148c1cc72f9108fd46ca44743ec20cd_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7148c1cc72f9108fd46ca44743ec20cd_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2924
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:5036

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f3bfc66597d832b63cbf7a20b2830eeb

SHA1
174d2694590d0a495ef9ecabb230a1cd9558263d

SHA256
13a50611e7735fe111c5d357bf2e865c12aecf12fc7bfd5638c020f2631d1e56

SHA512
1d26c5e07ff1bbc1a036f4a83d0407b68ba571427ed73648068889ecbdf7f37cc9255d83efeaf285c93df9a0eed48d21793ab698878172ca507beef10b018988

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
212e6057756b5b3be7715c8feed70def

SHA1
6cf894d1b1eb8cb3066099c172e12ffd27f97cef

SHA256
3f987b75d37651d2348c234898ad4ddbb44b35f87ae4a2b7ce1c5e96d3293c73

SHA512
77cf807f9a7508595042d2ebc6919789d164aba64928266969d82df605eabf72ecbaefd221def8011568823982831a78fd8665da4d364410066022f166f27f7b

Download Submit