wannacry | 84040953607aff7a9da2b43fcc2286e88b0bc6393a49e410c5080090cd85d3f3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:48

Target

73f6ac7752f1f9e50141593c22e0f632_JaffaCakes118.dll
Size

5.0MB
MD5

73f6ac7752f1f9e50141593c22e0f632
SHA1

6d7d5a355cbf511e95c99e8f4bc4f594ce3fbf73
SHA256

84040953607aff7a9da2b43fcc2286e88b0bc6393a49e410c5080090cd85d3f3
SHA512

4bcf64d5717dfd8761e47cbc79945370a93d36231602c860d30b246618914181f2dcdc34a3f336021fd2a2cfcd77383aa252a13846048e013816f7bc73e9363d
SSDEEP

98304:+DqPoBh9cSUDk36SAEdhvxWa9j93R8yAVp2H:+DqP8cxk3ZAEUabR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3338) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

956 mssecsvc.exe
1320 mssecsvc.exe
1668 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4840 wrote to memory of 5076	4840	rundll32.exe	rundll32.exe
PID 4840 wrote to memory of 5076	4840	rundll32.exe	rundll32.exe
PID 4840 wrote to memory of 5076	4840	rundll32.exe	rundll32.exe
PID 5076 wrote to memory of 956	5076	rundll32.exe	mssecsvc.exe
PID 5076 wrote to memory of 956	5076	rundll32.exe	mssecsvc.exe
PID 5076 wrote to memory of 956	5076	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73f6ac7752f1f9e50141593c22e0f632_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\73f6ac7752f1f9e50141593c22e0f632_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:956
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1668

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
c8eb4702bd0a3b8e8293dd9200cd45a9

SHA1
7fbb9e18cc58134c1880cde1611d6b45c55e2445

SHA256
80e25f7831053b7c07a0699b017d33c718ce67f47264a61f495f937738d3f536

SHA512
340907310b95a0c8e16923bdc0485bc6fe1b734a1a3906575531a74696b431d70d538bb3aa3e8dac07a7722df5cac84a001ee86bceac8221a3354ac9397a2f63

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
731f058f171d4cbf7bb04ec84f2278b4

SHA1
166ac339c4ce2ec752b975ee88fc053fb34a7366

SHA256
ea9508b33ea8d4168283235f5ccc620b9c32a8d50287a22ac63d81293a1025c1

SHA512
c5c465d1d13d9dcaa772d73ff4c319d06b9f2930cfa0262c6e20d73d46e39003a3c362b5f0bfb8f27e9e28724f8de4fa184272d1e573191b204739e6dcb3dbc1

Download Submit