wannacry | bd5542da958f0dd35a98a7d70de6720a446549c45bab17cd4187c72a353095d9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fac35125dd08082cd705c6f4863b102_JaffaCakes118.dll
Size

5.0MB
MD5

8fac35125dd08082cd705c6f4863b102
SHA1

947c39f8f0f782fedee7b1c69cc7d3affc6b5966
SHA256

bd5542da958f0dd35a98a7d70de6720a446549c45bab17cd4187c72a353095d9
SHA512

7d68970067ba379b0953ed9e7ea731732bbd57d691f233db92e58d1a93222417cbb1bb68c46fec5b8994c4368908c398b979736adc55be78cf4d8189a0297ce8
SSDEEP

49152:SnAQqMSPbcBVFhnvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBrhvxWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3256) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4692 mssecsvc.exe
4704 mssecsvc.exe
2084 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4692	mssecsvc.exe
4704	mssecsvc.exe
2084	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2872 wrote to memory of 1900	2872	rundll32.exe	rundll32.exe
PID 2872 wrote to memory of 1900	2872	rundll32.exe	rundll32.exe
PID 2872 wrote to memory of 1900	2872	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 4692	1900	rundll32.exe	mssecsvc.exe
PID 1900 wrote to memory of 4692	1900	rundll32.exe	mssecsvc.exe
PID 1900 wrote to memory of 4692	1900	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8fac35125dd08082cd705c6f4863b102_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8fac35125dd08082cd705c6f4863b102_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4692

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2084

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
25121953c461abc1f6ce5e4556acb948

SHA1
0e6cd0c884322d340bc64be0e3e5433b3d647165

SHA256
c80a98e8dab24183cef31f412ec9454125c43f4818b76e58e43b2a23baae840b

SHA512
1d5a9cff912830ad07d2ddcb459cbe1553ebbab62b5863009efb62de621cd0d4be493be4e58ae35d3252c98bfe65f23254bc210fd68abd5c8465129f9c5a8a84

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a564e1360917e8a9d67f8828dd48e18d

SHA1
9cbf30f2f848bfacd63938da2d2da4d3c49ccc3c

SHA256
19b96ace78954ad9f6631ec0d7fa0967570682ebd68ec8cda916c3f7621eab22

SHA512
d76e91a2f9e7d2bc42d580b59f44236732318bafd683098d6a46a3c711bd0f139509add4380da9f431d6a04bc28925be4dd85b745eb3f9eeea90b031e46c410b

Download Submit