wannacry | 9aab49990ffe59f8716e3bd44397da46af788a4bc65ff6788b12164a2f48649d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 00:16

Target

7b0d0b61fb8e6a810dcadd0df1f069e3_JaffaCakes118.dll
Size

5.0MB
MD5

7b0d0b61fb8e6a810dcadd0df1f069e3
SHA1

3f5ca761a153108d3e07f575ec318acb57d1eafd
SHA256

9aab49990ffe59f8716e3bd44397da46af788a4bc65ff6788b12164a2f48649d
SHA512

d1303c962f3684ba8c96bebcc41e3bf85d076da0af2b3003ca6c1826386126f7b69620c4901067f1c812ba95c16e7e7601d4050670d66b0e86d6135d91a66001
SSDEEP

49152:SnAQqMSPbcBVQej/1INRWRdhnvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBhz1aRKdhvxWa9P593R8yAVp2H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3322) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3784 mssecsvc.exe
1116 mssecsvc.exe
2036 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3940 wrote to memory of 388	3940	rundll32.exe	rundll32.exe
PID 3940 wrote to memory of 388	3940	rundll32.exe	rundll32.exe
PID 3940 wrote to memory of 388	3940	rundll32.exe	rundll32.exe
PID 388 wrote to memory of 3784	388	rundll32.exe	mssecsvc.exe
PID 388 wrote to memory of 3784	388	rundll32.exe	mssecsvc.exe
PID 388 wrote to memory of 3784	388	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b0d0b61fb8e6a810dcadd0df1f069e3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7b0d0b61fb8e6a810dcadd0df1f069e3_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3784
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2036

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
55477ec55148e423beb1946e0eb495b7

SHA1
0edca734ed8f75820b4043913acb2d9bd399b466

SHA256
1b73ad6faf1d3ba9c6a9a2d082427c74a0faea086e45378b9b56554b4e80b3e9

SHA512
2206f8791a29141994da8f4aec4a6d969177fe4f5712652a253bb303d9cf5056cf5cd12594531475b394d0eb886c5baa985a47e1a4c3ed7da095227933ebec3b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
8bbb7df3e56888fecdf897d5bbfef21d

SHA1
fb35e42247ea6265c01464d6e0b0c0ed1ce62844

SHA256
a125d26a85ca89571848845618c0e27db67c4ce76ddbe9e0ca5b80c439689280

SHA512
13251092be3fe5325ee58e5559a93018a736538af6dbe79e54631dbaf17d33dae4cf3dcbf0926730577abe441a336e1cb315dd059b0c70bf3b6f854b9f9cc9ad

Download Submit