wannacry | 6aa3328f68cbc5ac3d2854334e1e2a4c96310f735a0eddead7fa1416cf1767fc

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee9049671c6fdcda29351ac72b4e29a_JaffaCakes118.dll
Size

5.0MB
MD5

2ee9049671c6fdcda29351ac72b4e29a
SHA1

6a03157901da06f8f8254bd986cf4851b5b1ddec
SHA256

6aa3328f68cbc5ac3d2854334e1e2a4c96310f735a0eddead7fa1416cf1767fc
SHA512

568e7225c7f1ad753d68b4c28a67ec1d1325d34b5c4f4fe5feae76e6a20c1663832997c3cef6b16d09ec996b4b775668ee05c9d8d0efd62783b476684db78d10
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdh2QyvGSIkI:TDqPoBhz1aRxcSUDk36SAEdhTSY

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2822) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3120 mssecsvc.exe
1872 mssecsvc.exe
3648 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3120	mssecsvc.exe
1872	mssecsvc.exe
3648	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2380 wrote to memory of 4520	2380	rundll32.exe	rundll32.exe
PID 2380 wrote to memory of 4520	2380	rundll32.exe	rundll32.exe
PID 2380 wrote to memory of 4520	2380	rundll32.exe	rundll32.exe
PID 4520 wrote to memory of 3120	4520	rundll32.exe	mssecsvc.exe
PID 4520 wrote to memory of 3120	4520	rundll32.exe	mssecsvc.exe
PID 4520 wrote to memory of 3120	4520	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ee9049671c6fdcda29351ac72b4e29a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2ee9049671c6fdcda29351ac72b4e29a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4520

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3120

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3648

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
02bdea71d4aaeecce7350259d55713e6

SHA1
972aa6f514a3f08bca2ce5f0ebc469c2c89a60e0

SHA256
09903b550b5425b3177f047d7b5516c83f1afa1a7bf3d593e51cdb9431a24374

SHA512
1b4bf170f44ebe2822dbcfc43023f67b472f832112c535494dc79c6863661d6922bf90a885cf49ee5e5e728472f55345897cef2dfc1e5ef7a2e3f87d48428da2

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
2e3c39e51cac6f084bafe8b116363342

SHA1
58353fa59e76d24bcddedf183d15d41481e67efe

SHA256
447599e6b7a2fbc0b586d1e04d11a97ac43b9daae279f74a19de26cd7aeed875

SHA512
783cf2d4452c7fbbcbee955367eca14958f415f53830f2a2f32003f7ad66c55b30fd5c02dc6fe97e51cd46bcaf80eb9ef79b77b8f8b7e994bd854eb1eb7cc53d

Download Submit