wannacry | 38c3a368380051851b24e20346818b6ce7b0f82ed6a0161e8a97d5dd5fac1f55

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf442fb38abdde90f6b56a5bb7ef852_JaffaCakes118.dll
Size

5.0MB
MD5

9cf442fb38abdde90f6b56a5bb7ef852
SHA1

d02a404a8f9710c1b43899377d65a5651a685740
SHA256

38c3a368380051851b24e20346818b6ce7b0f82ed6a0161e8a97d5dd5fac1f55
SHA512

e2fc2a19939713f2b1f2ac568fa48f5fbf04c4db00e7a980c2687e475851e0d99c4ee1f97f18d45301b308e2d8f899ca75df710ee7d1c4394ce236dfc72eab6a
SSDEEP

98304:+DqP3hz1MKSbevWSdOLZSPebdWDAVp2H:+DqP51M5bNiOLhbdac4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3147) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4780 mssecsvc.exe
3292 mssecsvc.exe
3296 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4780	mssecsvc.exe
3292	mssecsvc.exe
3296	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1904 wrote to memory of 4920	1904	rundll32.exe	rundll32.exe
PID 1904 wrote to memory of 4920	1904	rundll32.exe	rundll32.exe
PID 1904 wrote to memory of 4920	1904	rundll32.exe	rundll32.exe
PID 4920 wrote to memory of 4780	4920	rundll32.exe	mssecsvc.exe
PID 4920 wrote to memory of 4780	4920	rundll32.exe	mssecsvc.exe
PID 4920 wrote to memory of 4780	4920	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9cf442fb38abdde90f6b56a5bb7ef852_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9cf442fb38abdde90f6b56a5bb7ef852_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4920

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4780

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3296

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
8f58251e6f4b1b4f7dd9aa3939ce4740

SHA1
81d764d2c4d931f0b1fd343298484986075d3bc4

SHA256
3ca9d3766b520ce2b3c97b1fe64aa920fcc8eb64f5725354308eac77c5bd8c16

SHA512
01d066ad1e5907ae38ce8e04218450a74f9a1254bad2deef55c3f90a6bf74685fe72c66a69ab235457663686a9bc795022b25c75d0c7910018930f4f0352763d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
3d06b2c9772ac074e6127981bf99ca88

SHA1
3fcca7f9f21b5e99cf5d914fd433efae138db990

SHA256
f6a2a7601cb90d372b3d5766270cb597492fd91e2cccd60fbb19ec1ac455b35a

SHA512
083c4e7d318af96983afa2bbb911086cc52d0f1a828c348122d797221346df90e51b049b993fb8f26dd0d639627635eb95eda7004c26598bc2108118752a6ba7

Download Submit