wannacry | 3713c9324fe597da1baeb94ed3d29d37654a4f332dd0b90132de7dc9a7340015

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

371d6bbd724de01a9a2360eb231f0381_JaffaCakes118.dll
Size

5.0MB
MD5

371d6bbd724de01a9a2360eb231f0381
SHA1

193af11586a776674d202d1964bcc84dd514d967
SHA256

3713c9324fe597da1baeb94ed3d29d37654a4f332dd0b90132de7dc9a7340015
SHA512

d71a9962053407786920ac8c4830456786fe7eb6c5a8b91470352469042f29c50ef40dd0421140e9013927364aa6e0c7185583379fbcf6f477b2e9819d2b76dc
SSDEEP

49152:JnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:dDqPoBhz1aRxcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2879) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

228 mssecsvc.exe
4604 mssecsvc.exe
4692 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
228	mssecsvc.exe
4604	mssecsvc.exe
4692	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1496 wrote to memory of 1596	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1596	1496	rundll32.exe	rundll32.exe
PID 1496 wrote to memory of 1596	1496	rundll32.exe	rundll32.exe
PID 1596 wrote to memory of 228	1596	rundll32.exe	mssecsvc.exe
PID 1596 wrote to memory of 228	1596	rundll32.exe	mssecsvc.exe
PID 1596 wrote to memory of 228	1596	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\371d6bbd724de01a9a2360eb231f0381_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\371d6bbd724de01a9a2360eb231f0381_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1596

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:228

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4692

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5cc0a9c1e6cfbe42be5bc924f527cebc

SHA1
409b82d64243cc8047777a3d3acb275c1e18430c

SHA256
93dfe81c06b6b4b8e85c4c0743d27b1614df743c883f8b281d4919195c108cb3

SHA512
7a1bb0dc759530a616324415fecd410c4121cc31da89e002dabb1b3f6e2009f1da602e59ed692dd469906b48981b7401bd4c8ec7426a8b41995bcb6243b2e6e6

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b4349fb0b243bf4bdc8285e0598b74c3

SHA1
47dc524381e96678a7ed255f9d21bb4d499bfff9

SHA256
d7fe6cd6f8f9079ce3189b5ba55ac78c7877e07da32733f63ffb1e94338de133

SHA512
8dd48ef20a07b75032bb6ef2188447684e95688571624adcf216151112d563dfc0ac820699fba8f7e9d35eba01abf59affd0114a198c37b6c6d9478c87e6cfe0

Download Submit