wannacry | 768e7c17c3c95e8fdbfe517fd34763aff6a49c730c775af65414a691585d1b30

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

172cae5741578845025b9875ecda958d_JaffaCakes118.dll
Size

5.0MB
MD5

172cae5741578845025b9875ecda958d
SHA1

08ac3a671857efdd436ffa038b205d2ac0b830ee
SHA256

768e7c17c3c95e8fdbfe517fd34763aff6a49c730c775af65414a691585d1b30
SHA512

9e8c01ad064acecfdb1e56200e1a016ef0b6f548d69d0de68b270a5fc7adf21cdfb840d06884e6070d9393e83ac05b5d5729217e7e3711293caab302ec0639e4
SSDEEP

98304:TDqPz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPz1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3127) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2748 mssecsvc.exe
2296 mssecsvc.exe
3968 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2748	mssecsvc.exe
2296	mssecsvc.exe
3968	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3104 wrote to memory of 2208	3104	rundll32.exe	rundll32.exe
PID 3104 wrote to memory of 2208	3104	rundll32.exe	rundll32.exe
PID 3104 wrote to memory of 2208	3104	rundll32.exe	rundll32.exe
PID 2208 wrote to memory of 2748	2208	rundll32.exe	mssecsvc.exe
PID 2208 wrote to memory of 2748	2208	rundll32.exe	mssecsvc.exe
PID 2208 wrote to memory of 2748	2208	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\172cae5741578845025b9875ecda958d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\172cae5741578845025b9875ecda958d_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2208

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2748

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3968

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
af8b2a8701a6ade0c8113988e45b4e6c

SHA1
e3e01397f5f3d2d58a86c60954fb06893138aed8

SHA256
1a5281967e3fd163b3260393201736910efd8aa683e364aa7a327e7db52f29d6

SHA512
bff785d9282c458f5b6825d3ee15c1b98c0b39d9d38f8311a40ef532472f638adb53a274ed08570e9ae7eaa411a41f8c100e0c5814ae2a0c1575d92403458e5c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9de4abd28019e64c49e745dbb210fea4

SHA1
9f7c19802b737b860f25c69c993066729ff894ce

SHA256
18c2c5c6962e53029137d4f20d46ce2b69ce3a2750a3262d9f78578daf64c2fb

SHA512
167f2a0b811d03ffb286191f4438baeb7ca09a26f2f93bd75f07937c487e66d9422e695f58c34530938cf8e2f5c51c82c183aa685c84ab90617590db840ebb5a

Download Submit