wannacry | 0003fa57b49fbc514bc48a2ce0c17e93307ab37123a65b3f5e1016b0d4f2f4fa

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75695be8e3ddf0ef933283b55a36d22f_JaffaCakes118.dll
Size

5.0MB
MD5

75695be8e3ddf0ef933283b55a36d22f
SHA1

26fbd0b2145fe8fee24524f245808c645c468556
SHA256

0003fa57b49fbc514bc48a2ce0c17e93307ab37123a65b3f5e1016b0d4f2f4fa
SHA512

dd8b63b87d1b5048bbb258958b50b2478ae3a731418db087f6f5dbcb7e10ad41471a274fff5c8639076ff0b9bb0e601f5e584cbd71df1db26cc14c2d4b7513ce
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQDH9PAMEcaEau3RthnAEYc8c6Ri5WN6n7:TDqPoBhz1aRxcSUDkK9P593R

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3237) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3992 mssecsvc.exe
1280 mssecsvc.exe
4860 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3992	mssecsvc.exe
1280	mssecsvc.exe
4860	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1240 wrote to memory of 4772	1240	rundll32.exe	rundll32.exe
PID 1240 wrote to memory of 4772	1240	rundll32.exe	rundll32.exe
PID 1240 wrote to memory of 4772	1240	rundll32.exe	rundll32.exe
PID 4772 wrote to memory of 3992	4772	rundll32.exe	mssecsvc.exe
PID 4772 wrote to memory of 3992	4772	rundll32.exe	mssecsvc.exe
PID 4772 wrote to memory of 3992	4772	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75695be8e3ddf0ef933283b55a36d22f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75695be8e3ddf0ef933283b55a36d22f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4772

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3992

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4860

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
616b8e8754c4484ff1ba66c06d105786

SHA1
f0d966cf5c5217f45a468a9e9a55c4834d33e0e0

SHA256
8ca4a629ce9b83744eb540ade3d8a7b9f29c5b93c3347e1fb28f04a0a36857ce

SHA512
400a87545b3bba5fd566fd45f952c5bae33afda4414a25bfbe7c6273462a14aaba7e5a761d633a64ebdf997a5d749f1c0221f00c974c9b7fe81bd40eb6665b39

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
dc83958a624ee07ad2a8b159ec622cd0

SHA1
7baf5ec72bc499dae335fae923dd4684617d133e

SHA256
2ca947548bbf52ef67ccf1225522050b52ba5c064abb824ae02e3c9738f07745

SHA512
4fb6fa4673158a5c8b9341cc07c48466117ca2c77b024e5fce1673649bd6ecba68e153839f8c400ca27cd76876f7f658ea1b089ff24fea433ce321295ea8680d

Download Submit