wannacry | f0459f64c92eb91fc582f8c7923ff71e15d9b2dbe5c95c40ced4d6d01e153c9a

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

359489bee79016a277b8f51b0a181a04_JaffaCakes118.dll
Size

5.0MB
MD5

359489bee79016a277b8f51b0a181a04
SHA1

f18d53d62bd048214bd1ff601239a4132cc67883
SHA256

f0459f64c92eb91fc582f8c7923ff71e15d9b2dbe5c95c40ced4d6d01e153c9a
SHA512

522e5108f826320c864a1dc9d9351e095f942cebc5d1a41f769bdb76ef89e8157513147d66cd697b0fcd639ba59f5ea2db1c14600de0c7cfdb4b829160e803e3
SSDEEP

49152:znAQqMSPbcBVQej/1xxJM0H9PAMEcaEau3R8x:TDqPoBhz1xxWa9P593R8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2970) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3308 mssecsvc.exe
848 mssecsvc.exe
1052 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3308	mssecsvc.exe
848	mssecsvc.exe
1052	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4616 wrote to memory of 2156	4616	rundll32.exe	rundll32.exe
PID 4616 wrote to memory of 2156	4616	rundll32.exe	rundll32.exe
PID 4616 wrote to memory of 2156	4616	rundll32.exe	rundll32.exe
PID 2156 wrote to memory of 3308	2156	rundll32.exe	mssecsvc.exe
PID 2156 wrote to memory of 3308	2156	rundll32.exe	mssecsvc.exe
PID 2156 wrote to memory of 3308	2156	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\359489bee79016a277b8f51b0a181a04_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\359489bee79016a277b8f51b0a181a04_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2156

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3308

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1052

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
355fb63fcbc1dd791da9ede44c50d8de

SHA1
3b6a91f8d576378a76f191ce38b4c89466ca6105

SHA256
fed117b7a88977d6daf3fe660ddb6ab235e89965ececf7838b7a7e382aafc02c

SHA512
a1f36e462b3a0ede0c95d5c73d5db66f5a82414f48da3694f1698c3767886ddadba86d902af91c61bd90325e116b858f6c3544808befbc07572d80a55c288417

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
add02fc7dc23ea36f5c41784e17ed6c4

SHA1
7faf9e9a8806f9f449a353a79a35a0d380e4fb1f

SHA256
6580e1b662e9dd9f43142226be19ea39c8952cbbd2bd0c749c12b3afea6fe8af

SHA512
26428bce4b69ce7947bd2cf4ca1260a8aad659241c6c1736d00d9f5ab366a099c1858838cd63775744336e82f89162efe5799ca62abdaac3cbe261cae8b4e170

Download Submit