wannacry | c25c8e2d44c64baea75f8fc5758cbe82a88c5197242380b3f4cfbc65ef565654

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133c62605d9a83623fd22c747918b32a_JaffaCakes118.dll
Size

5.0MB
MD5

133c62605d9a83623fd22c747918b32a
SHA1

5bb51269d20b3854db6d947d978808d13a33a9aa
SHA256

c25c8e2d44c64baea75f8fc5758cbe82a88c5197242380b3f4cfbc65ef565654
SHA512

0f13cb6afc6d34c1649b61ffdd9e3cee675ae41102f9e764117e4fe09a17d5b5febb05db4dd7886e7f3787c8b072b3de97d743b69acd9b8c8297b3ca3d036a92
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdZB:SnAQqMSPbcBVQej/1I

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3062) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3216 mssecsvc.exe
2428 mssecsvc.exe
3800 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3216	mssecsvc.exe
2428	mssecsvc.exe
3800	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3256 wrote to memory of 1640	3256	rundll32.exe	rundll32.exe
PID 3256 wrote to memory of 1640	3256	rundll32.exe	rundll32.exe
PID 3256 wrote to memory of 1640	3256	rundll32.exe	rundll32.exe
PID 1640 wrote to memory of 3216	1640	rundll32.exe	mssecsvc.exe
PID 1640 wrote to memory of 3216	1640	rundll32.exe	mssecsvc.exe
PID 1640 wrote to memory of 3216	1640	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\133c62605d9a83623fd22c747918b32a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\133c62605d9a83623fd22c747918b32a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1640

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3216

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3800

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5c4cbb156deeaf7d896a9426f2818406

SHA1
7a0e16ae16038c1d362e1ec4a36e24eb7621a21c

SHA256
878bb4650dd88473e1abe6d8be0d30d96bd577c13ea629f8b09f48d97649d48c

SHA512
ebfd7c59b4ffffb645bce72b9db70099c78b9a3b64bc78fd971d08ba8ef22d43d5418a1bf1637834ac8aa020fe1aae5361a8307625c272e76a06f3786e7f98a9

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
d185ec4dada36619bdfcf3d936d77f04

SHA1
73ba315952a304b6b58a0e1456450a6e8a9e1901

SHA256
22c5f71bb6046d44b3a9bf90bd46e5115e9eb67076a33692811b786f3ab8e418

SHA512
ca5ff6924780829565daf83639a440cf779dd73a69b906ca3adb1eecae7f2bf797eeb9b9a3cc7c15efbaa5dcf6c25aa05ef432139992e909076efd544bef4e31

Download Submit