wannacry | 5067fee0e271fea31a5b0f4479521e26250678656675b9ddcca829445f7d242a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74f8cf308139a939d3fdbaadaca3132b_JaffaCakes118.dll
Size

5.0MB
MD5

74f8cf308139a939d3fdbaadaca3132b
SHA1

9ec8f64b061ad98c41ef5afbe864e1974cc456b7
SHA256

5067fee0e271fea31a5b0f4479521e26250678656675b9ddcca829445f7d242a
SHA512

30c4429d333680369cc2b30302ecfc8830c9ce4f9d52619494b7c265863eb00b58ad7b4c02f4616ea2613d6fd1d1509703ce06c8221643675fbf16a6626c9e91
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAME:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3362) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2760 mssecsvc.exe
1648 mssecsvc.exe
3924 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2760	mssecsvc.exe
1648	mssecsvc.exe
3924	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2368 wrote to memory of 916	2368	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 916	2368	rundll32.exe	rundll32.exe
PID 2368 wrote to memory of 916	2368	rundll32.exe	rundll32.exe
PID 916 wrote to memory of 2760	916	rundll32.exe	mssecsvc.exe
PID 916 wrote to memory of 2760	916	rundll32.exe	mssecsvc.exe
PID 916 wrote to memory of 2760	916	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\74f8cf308139a939d3fdbaadaca3132b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\74f8cf308139a939d3fdbaadaca3132b_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:916

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3924

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
cc48c3d018ad980965e8d0a83230d9ee

SHA1
3130c3179faf9606f93bfba5d6d1113200e5c4de

SHA256
80f61915d2ad682e04705d614a345907118add13417d2ba8f894252c5b6ac7e8

SHA512
4081437021d5f30ba33e9a8dfc7e1d8675c0866496f6fb7b9fd43826e698840fc942cd78fd178817b2ab5234ef133848a4c6e0309746abb30ce4e4b07d46b782

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
34b9d37343b72787887139095f4d514a

SHA1
3c3fb32bb98d40b6d6b848aa23edbb1c64b7a727

SHA256
44f75dfff8d0f188eee3cdf7f12895b97f420be06c267cb293cd4e1a72b01e16

SHA512
f3e098305bc3b5d5c84b2c39c9e7b68b794316c257ce015d460e4b56b81e744bf44447c8cae8332bbe283f2cc9d0cf18609bddc40a62e15dd2fd420720237267

Download Submit