wannacry | 7f3c2b4bd944487dce8b75eecbc4fea113cdcb44e18b95df21c8bea588d29450

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 14:01

Target

7d38c11ca25fd6554659e86371e36267_JaffaCakes118.dll
Size

5.0MB
MD5

7d38c11ca25fd6554659e86371e36267
SHA1

a38b9e974fc54c1f7f21aa297ee3cfda4e6373af
SHA256

7f3c2b4bd944487dce8b75eecbc4fea113cdcb44e18b95df21c8bea588d29450
SHA512

60253eecf7318b3f0a80340e8497f003f46f488402c18a504120908db4aad820c727b2fc3224a4798f576a0051cb8e02d3fa6834d6f8a2f21823c51dbd42cb1a
SSDEEP

98304:+DqPoBaz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPZ1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3245) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3912 mssecsvc.exe
3228 mssecsvc.exe
3356 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3400 wrote to memory of 4044	3400	rundll32.exe	rundll32.exe
PID 3400 wrote to memory of 4044	3400	rundll32.exe	rundll32.exe
PID 3400 wrote to memory of 4044	3400	rundll32.exe	rundll32.exe
PID 4044 wrote to memory of 3912	4044	rundll32.exe	mssecsvc.exe
PID 4044 wrote to memory of 3912	4044	rundll32.exe	mssecsvc.exe
PID 4044 wrote to memory of 3912	4044	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d38c11ca25fd6554659e86371e36267_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7d38c11ca25fd6554659e86371e36267_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3912
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3356

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
aba83a448739cdb8b404ef3ce2014d34

SHA1
ae92b54c1105dd29071dd50e2df37cba6b1f24bf

SHA256
41366d305ce2613ebcbfba84c640e52d8f65634d2aad5fd87da5e3c74524b95d

SHA512
63ae9f9019a2879de3f6fdf048f8ecbc634b2391a2944d0dc96cf8459623f1027d2d34360f91961af992b35b9931a53ba63551d3560b4ff1c279e2a21d321401

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
cd362ff71b116fcef2700db8c80038ba

SHA1
5ae721d316aa2761f51a2f6dfb6eb88e10452b8f

SHA256
2ca2e658bd7fd17c11b1f27ffe3c6b5ff37e5100a2a1e0d446a5833ad7304c30

SHA512
72e7a9384b701056fceed0b4b923ab75a37da6936809ac5790523e1c47b3699b3742debf96d668834ede7f37420ccbaa5f216759356433a2afa59e1ca562a203

Download Submit