wannacry | 72b2b788e40b68c5ea70cf429de6acb1ad291fa5944836ff35648a29f8e40ec6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 08:51

Target

717248d46d244e2ebf745fd204b86b61_JaffaCakes118.dll
Size

5.0MB
MD5

717248d46d244e2ebf745fd204b86b61
SHA1

4ebf72436f13f0e2e91d2b0f46d42190cdf46dca
SHA256

72b2b788e40b68c5ea70cf429de6acb1ad291fa5944836ff35648a29f8e40ec6
SHA512

e7a9f3ccdfbe38d03f96476b90018d6f7383764eba44ede40f485259a62d7ab9c058112dfd68e5cd676636596a7575891577a23a191c596aa5391333f8cf6b92
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3164) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2620 mssecsvc.exe
3488 mssecsvc.exe
2832 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3348 wrote to memory of 1152	3348	rundll32.exe	rundll32.exe
PID 3348 wrote to memory of 1152	3348	rundll32.exe	rundll32.exe
PID 3348 wrote to memory of 1152	3348	rundll32.exe	rundll32.exe
PID 1152 wrote to memory of 2620	1152	rundll32.exe	mssecsvc.exe
PID 1152 wrote to memory of 2620	1152	rundll32.exe	mssecsvc.exe
PID 1152 wrote to memory of 2620	1152	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\717248d46d244e2ebf745fd204b86b61_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\717248d46d244e2ebf745fd204b86b61_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2620
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2832

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
897ca0b501bf5b8df54c656acf6c9bcf

SHA1
2018fc805cf6affc4cab760647c721765558c833

SHA256
d11a71c96aca03a2cc7fe0ad81b7233621149d50575002e152dee2a89274c6b6

SHA512
b4a57fd29c1a33b21dde50defd7fffb95021d84cb0557680602bf155b2d48edf88925aa4aa24ea62adfbfdebcb7819b254c8a56b819f1cf8eb3c265250b8432b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a58747ac2efc0bb240802a949408edfe

SHA1
3df64545a5323af04b49e833eefc480818f6d8c8

SHA256
f1a9f1a237c087e10594a8d1fff87c05849fa2b73571f71012ee35317ba8b7c3

SHA512
b6218892aaa65bf8ed86be5603735b0e197c838af25daf71951c4c890ec8567d174af719ded71c6c6f164310388873fd24aaa3c140a44e56bd54b8be65931715

Download Submit