wannacry | 5ffaa97f3fe9c0440aebb90b8ba5bcba1ae80b994dc2a6d160a328db21ed0fcf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5e95cdccb8441beb4816ec255b3b835_JaffaCakes118.dll
Size

5.0MB
MD5

b5e95cdccb8441beb4816ec255b3b835
SHA1

fac78aca5bc929910280531534216c0de9aed3bb
SHA256

5ffaa97f3fe9c0440aebb90b8ba5bcba1ae80b994dc2a6d160a328db21ed0fcf
SHA512

b1c5f153f25400fc10d6cab7d9899763ba7a60a362c7debb47b8c1e6111278d87f9d92bb0391dfb3aee6202fbf65f9386361019a69187e0357ff989e790621be
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAV:+DqPe1Cxcxk3ZAEUadzR8yc

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2674) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3160 mssecsvc.exe
5060 mssecsvc.exe
1952 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3160	mssecsvc.exe
5060	mssecsvc.exe
1952	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 320 wrote to memory of 652	320	rundll32.exe	rundll32.exe
PID 320 wrote to memory of 652	320	rundll32.exe	rundll32.exe
PID 320 wrote to memory of 652	320	rundll32.exe	rundll32.exe
PID 652 wrote to memory of 3160	652	rundll32.exe	mssecsvc.exe
PID 652 wrote to memory of 3160	652	rundll32.exe	mssecsvc.exe
PID 652 wrote to memory of 3160	652	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5e95cdccb8441beb4816ec255b3b835_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5e95cdccb8441beb4816ec255b3b835_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:652

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3160

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1952

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
96e34b5d456e8c5a8e913ab23bdf92a4

SHA1
fff5635408360eaed6ae56a7d2f172808731e285

SHA256
3ef09546e585f842b997e5e8d033443cf837c79489d95a364100521308cb19e7

SHA512
b90d44fc0f2efddc9b9c6778b303ca6f74f79f4f87b1301a18c44222dab6c954c597a20c8e7d5431c4b16b2f906800f217bbec84e407d76ad19f2e64c0f7c803

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f5b2695668f69642b84eb02dc153f4c7

SHA1
c12484dfdfd41bc3ad58e834f5a30a2e693cec06

SHA256
baadd5492dded1448ded7da7272324e98a97119f0987ce00c3abc70159089e00

SHA512
a031b09f7d3d850e751644b91d101201ba85f2384a20f77e0e03fe1d4f23d1fba2449e52ee77ce5017ea6b4973508fb55fc168ed56b1ba66c4f626205ad737d6

Download Submit