wannacry | cb5120bb8f471051d3ec31ce6b27aae8c2a4537cf2e528f2bfd08cfe2310a804

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76997e1a25b7ad5d8ed286532f05c578_JaffaCakes118.dll
Size

5.0MB
MD5

76997e1a25b7ad5d8ed286532f05c578
SHA1

5c1f74b3d95171f8f3415a0f32aeaad6387f83fd
SHA256

cb5120bb8f471051d3ec31ce6b27aae8c2a4537cf2e528f2bfd08cfe2310a804
SHA512

52b2e33b24e403edff6690a2ce80575213cacdc7ea0de73bcfc3cf46ce5147bc45e40bcfc15a842b630c7edbdd2ea3e5c4c293c868c400bf34910d533802b077
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdOxJM0H9PAMEcaEau3R8yAH1plA:+DqPoBhz1aRxcSUwxWa9P593R8yAVp2

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3296) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2424 mssecsvc.exe
1184 mssecsvc.exe
384 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2424	mssecsvc.exe
1184	mssecsvc.exe
384	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2632 wrote to memory of 4288	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 4288	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 4288	2632	rundll32.exe	rundll32.exe
PID 4288 wrote to memory of 2424	4288	rundll32.exe	mssecsvc.exe
PID 4288 wrote to memory of 2424	4288	rundll32.exe	mssecsvc.exe
PID 4288 wrote to memory of 2424	4288	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\76997e1a25b7ad5d8ed286532f05c578_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\76997e1a25b7ad5d8ed286532f05c578_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4288

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2424

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:384

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
2388424c4d909c563530cc48ba88fefc

SHA1
8b71168f0821a786afb33c51333f1e51923eef31

SHA256
603e42df45a1f65fb4dae4182ec9abd55796d2bf9005c46f668f079dfac67667

SHA512
b5cd28088f54d4ed2ceb5a88f383a62f3d4557e3ac741c01b94379662160122b8571ae860dc96e301caa2dd3b581c9da497045cfe3601fa41472a05abefbed31

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
e0264a5e7efc1def40b0415b14c0d4be

SHA1
a109d562b06d548151fc0cdaf4f4b1045f6f0ef3

SHA256
64861559ee089d87f8f0983f08c2db874e36640a081c860a81fdb5f5b85cef0c

SHA512
060d82b0cda057f401c10688b1c12366572260b65499d8ed19b7bdc7d320adf3d00689d749b8ccdbb6722cdf084568fecbc132695d9435409fd96d5b104862b8

Download Submit