wannacry | 5de6e0b877d6b134dfbb7acd502bfbc5aa6b37f888e6a845e0ee3fe83f66152e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb655b896152fa426d3a96cbadb5614_JaffaCakes118.dll
Size

5.0MB
MD5

7fb655b896152fa426d3a96cbadb5614
SHA1

8dfcae6ae3ad6e492424be0e012310e77ab67f26
SHA256

5de6e0b877d6b134dfbb7acd502bfbc5aa6b37f888e6a845e0ee3fe83f66152e
SHA512

723d320fae808dd1f4a676bd5ddccde9c4f769df4bd625dc9e8224ec794368a07bd146b80a251b091f52390d8236487f288ef746ace389573963b8140a7d80ce
SSDEEP

49152:znAQqMSPbcBVQej/8nvxJM0H9PAMEcaEau3R8yAH1plAH:TDqPoBhz8vxWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3227) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3040 mssecsvc.exe
4340 mssecsvc.exe
636 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3040	mssecsvc.exe
4340	mssecsvc.exe
636	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4332 wrote to memory of 2388	4332	rundll32.exe	rundll32.exe
PID 4332 wrote to memory of 2388	4332	rundll32.exe	rundll32.exe
PID 4332 wrote to memory of 2388	4332	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 3040	2388	rundll32.exe	mssecsvc.exe
PID 2388 wrote to memory of 3040	2388	rundll32.exe	mssecsvc.exe
PID 2388 wrote to memory of 3040	2388	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7fb655b896152fa426d3a96cbadb5614_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7fb655b896152fa426d3a96cbadb5614_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2388

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3040

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:636

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
404bf3a96cd7ff19664bd44efc3a62db

SHA1
4318cc610774b885eb77b9372e35505fba322aba

SHA256
80fed1a9e5eba6b0931d7730ab5a49c84200eb51f73256164b0b54ee57d1c023

SHA512
a5d6c4ebbba8a5d307f70f4525f57475adf991dfccd7475c154cae7f0d8e38af50ac62381d84a9792a2ca9a155c0f7ec0f9bbf82f16f938effd7aa0b05acff06

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
458e29dafc7851f3075f8a5e98651150

SHA1
2e0e3241755de43365c7b19a6bc151f92943ade2

SHA256
e9a01a23a1b21f9d9526161f56c2b6d98f04262c6f6af755a60616edc536f14b

SHA512
dfa1aa334c495faf15cb52c483256451a72c1bd636b9fb5ffe5f92d83cf2e4357e9299913ebb5e8edfb9fa99e4b62513238b08ab8261a436a851e4fcea0e148d

Download Submit