wannacry | 431beeaeffca82dd4e1721e029937a77b9266b4079206f0e3c945505f6ab4772

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

159f821b4785271df2e336f940d09da4_JaffaCakes118.dll
Size

5.0MB
MD5

159f821b4785271df2e336f940d09da4
SHA1

834a060938bd5112496ecb49c61d012d7708e62d
SHA256

431beeaeffca82dd4e1721e029937a77b9266b4079206f0e3c945505f6ab4772
SHA512

9efd3ab64f4b0224e56d4a672d5f1e76d47662f8ffddb78f2246dec9e292726d4b7ab9c82c2c8bea173c64c4e796340169c8f803455f56e81929fa482f172a38
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8:SnAQqMSPbcBVQej/

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3081) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4020 mssecsvc.exe
4280 mssecsvc.exe
4432 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4020	mssecsvc.exe
4280	mssecsvc.exe
4432	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3540 wrote to memory of 5100	3540	rundll32.exe	rundll32.exe
PID 3540 wrote to memory of 5100	3540	rundll32.exe	rundll32.exe
PID 3540 wrote to memory of 5100	3540	rundll32.exe	rundll32.exe
PID 5100 wrote to memory of 4020	5100	rundll32.exe	mssecsvc.exe
PID 5100 wrote to memory of 4020	5100	rundll32.exe	mssecsvc.exe
PID 5100 wrote to memory of 4020	5100	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\159f821b4785271df2e336f940d09da4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\159f821b4785271df2e336f940d09da4_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5100

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4020

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4432

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
2d5a37530a7eb94f3ff26004bc181451

SHA1
81f94a99b3e8c57895f9ae57aef4b463ff95b646

SHA256
b1ecd912fb15a12e996499804eb725e2c2d3f185a57419d860785bf20a4d4ccc

SHA512
07cb4deca73b86cd62a39581072b0cb66f90745b9904d4404d1c90fc051a6cb2115d32c787bbd132613292255c0440d6c4c87a67f17dfa41c850608956e5688f

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a7b53d11d621aebb00822915fa47f52d

SHA1
f94daaa54b91d27bc87ea44eb6d7384ddf601800

SHA256
999c87ef2c449d5d6303b9e956ff63a324957d406944524e27a4caf119f599d5

SHA512
46e33df88d6d1a03a7e336e7ffeb23610639ceac4cea5ad21a0574098d34fec840add04bf5d7551697276ba22fc4dc3d9d01e530e1c2322ae6a249cc58f6e8f6

Download Submit