wannacry | 424d3a9ccee7e2fe5cf4b714f6a5a2557c456adcb0eb49ea4dd733e8151e3eb0

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15cc01862af8af5540569cb247b3824e_JaffaCakes118.dll
Size

5.0MB
MD5

15cc01862af8af5540569cb247b3824e
SHA1

5c99e40e4fd8f3bce17a4e134daef3e7c4fb2e33
SHA256

424d3a9ccee7e2fe5cf4b714f6a5a2557c456adcb0eb49ea4dd733e8151e3eb0
SHA512

370bd14b91afdd1ffdd56e045897b090f6e1037e556c7c3dc6d131854056db5fe6092c68b94cc03372bd4fb681e214783b143564d2f9c4960dce2433e3213ba7
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59jF:TDqPe1Cxcxk3ZAEUadn

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2574) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4352 mssecsvc.exe
3304 mssecsvc.exe
2896 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4352	mssecsvc.exe
3304	mssecsvc.exe
2896	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2748 wrote to memory of 5040	2748	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 5040	2748	rundll32.exe	rundll32.exe
PID 2748 wrote to memory of 5040	2748	rundll32.exe	rundll32.exe
PID 5040 wrote to memory of 4352	5040	rundll32.exe	mssecsvc.exe
PID 5040 wrote to memory of 4352	5040	rundll32.exe	mssecsvc.exe
PID 5040 wrote to memory of 4352	5040	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15cc01862af8af5540569cb247b3824e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\15cc01862af8af5540569cb247b3824e_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5040

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4352

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2896

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
a8daee2b8c6d0b4854a9fa4ebfa2cff1

SHA1
2941a117e5842f2cb599d972e39ea95a41947167

SHA256
f853a55c32fe0bfed0eb0b572ac977c0a78144e67bef5923f8ad0a7813cc21a2

SHA512
db47e98297640f6f9d077c78fe294c4d17d08fe1f662cd7caf338f34eed0334c5c94268ef9ed70c723d586fc1483873d2252e53e455ebedf07bd1ce49c0816d7

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
0e7e40f6f6721d8101e1af6364cea915

SHA1
c6cf47adc6838959f6be89a451683f5de6ed4615

SHA256
c1b25601c63b3c6e74f19339c2e078e8b30a8459dce576ddb3334a2656027220

SHA512
87177775a761efce80490eaca29339f883e85484aa808dd7816cabd4d7d9ce03af2865c5afb64ade8df69c5e2c547e026f99c0838b7b7a60ab61e63981013699

Download Submit