wannacry | 7e4c00260e5ddce714d067a9a77fe362d332c4b37aaeb86af6de4336338140ec

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ecf5172bc5e7637f593dcf9384f398c_JaffaCakes118.dll
Size

5.0MB
MD5

2ecf5172bc5e7637f593dcf9384f398c
SHA1

bc370c26f5de99195c5aa9d764c4f42994d0895b
SHA256

7e4c00260e5ddce714d067a9a77fe362d332c4b37aaeb86af6de4336338140ec
SHA512

d9c9c8302de8507943b5cce5268bc039dd2baccf81655cb32249810d921180ff5e68ea98f22f755940fdb0d6ddb61d008601a00c512cd8e1fef946c715fbe4a4
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3075) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3620 mssecsvc.exe
2680 mssecsvc.exe
2756 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3620	mssecsvc.exe
2680	mssecsvc.exe
2756	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1700 wrote to memory of 4188	1700	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 4188	1700	rundll32.exe	rundll32.exe
PID 1700 wrote to memory of 4188	1700	rundll32.exe	rundll32.exe
PID 4188 wrote to memory of 3620	4188	rundll32.exe	mssecsvc.exe
PID 4188 wrote to memory of 3620	4188	rundll32.exe	mssecsvc.exe
PID 4188 wrote to memory of 3620	4188	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ecf5172bc5e7637f593dcf9384f398c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ecf5172bc5e7637f593dcf9384f398c_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4188

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3620

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2756

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
034fc14d89e4a86611c7e93506e11c09

SHA1
53fadf08e7a1b35ef56469aec2596765c7211629

SHA256
af319064db5f71cd01891a7052e06fc603739864657cd65fc31693fe381c2e8e

SHA512
54a867b6a4bf45e8022cc566f3656998cdf28d4cfa274eb4dbfb4cabacfec519caaa81b43e782599d73ed9dd23c55b1fb85695f0edf4b3ed0f1ef713963ee9da

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
007ca7909e171cde207dfbbc7755b436

SHA1
3b7969830d704e522ec8d9acdbb5c2b9c2a60484

SHA256
4e8b451fa36413c78a8979e64f53a86b9a1354d9f587b59fa4985f791f6be78c

SHA512
d32212b0a23d184e1232b98bc2016517058af56314b17e25a28723ef98429c2f202146c2d80da653e34fabdb6f97d1cc406ccd9c9b650ecd8d5f4151bfe7e0ea

Download Submit