wannacry | dfc39b466ba47e71bfce125f8dc481deb8150c7c4737a118b770daf1b96989cc

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29057932b62403215de35c9f21e2d38c_JaffaCakes118.dll
Size

5.0MB
MD5

29057932b62403215de35c9f21e2d38c
SHA1

91eb61a16d478c2c34948f38534447e3560da641
SHA256

dfc39b466ba47e71bfce125f8dc481deb8150c7c4737a118b770daf1b96989cc
SHA512

5b9a794c3bd9d49fb1ad7cf224bab8d6a304bbca38ead96225489f736d923c901ff676d61e6181a17dceb40490167d2027f6f6ac10a4e670b10126738132c877
SSDEEP

98304:+DqPoBo1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqP71Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3052) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1168 mssecsvc.exe
4512 mssecsvc.exe
2000 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1168	mssecsvc.exe
4512	mssecsvc.exe
2000	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1444 wrote to memory of 4660	1444	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 4660	1444	rundll32.exe	rundll32.exe
PID 1444 wrote to memory of 4660	1444	rundll32.exe	rundll32.exe
PID 4660 wrote to memory of 1168	4660	rundll32.exe	mssecsvc.exe
PID 4660 wrote to memory of 1168	4660	rundll32.exe	mssecsvc.exe
PID 4660 wrote to memory of 1168	4660	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29057932b62403215de35c9f21e2d38c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29057932b62403215de35c9f21e2d38c_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4660

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1168

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2000

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d8505ac58bfb183a53c9ac2d725adf2c

SHA1
7697211ba54352da68f565ff60388ee736d7af69

SHA256
d8484ce6c9eaeec30b418510c4164e2cc0d3267d6d77a9ad230a4d8967f2874d

SHA512
f1f2d6ac6be63ede1c1a69d2b5595cf3f1478a187f8970e4a1af22e58ec0f960afcaaa108b4a442a993f6208e13aaa8ca84067dd0ef6da019f30907b8d7b2537

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
ff98c901e8a3045fb0156f3d96238800

SHA1
789c069386dc4c518bf5c40195984de87fe0249d

SHA256
b4f0af49272bd9b25e2538df4c9dd4613e54381cb73677b22bed1fca8afcb9e4

SHA512
d656e786f718e25a1a39fd78ad09b51236a2ea80daa458ca25e50bd5bb58742fcd1405e1e520143267deee6625a551e77a4f538a509500d18fcd1401c95100bd

Download Submit