wannacry | 2dfd4a11135512683f97ec40fb26bdb121bd5b27644b7d925b7e17aa75bac407

Resubmissions

14-05-2024 18:40

240514-xbmnbsbb69 10

14-05-2024 18:24

240514-w2jhxsae65 10

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll
Size

5.0MB
MD5

427c26ece5cc58787ae133d0c45b6cc8
SHA1

20ef4eb221b550905e6b7c04a0ae9e80c25e4546
SHA256

2dfd4a11135512683f97ec40fb26bdb121bd5b27644b7d925b7e17aa75bac407
SHA512

84585c3e1ba8c64e6b6f5b4d690215aeb61d4d9adc08a34fefae962677d611abde4173fb8d3665e1b58789b76fed9bd25468264f6fc4000c8356e51944085857
SSDEEP

49152:SnAQJGx+TSqTdX1HkQo6SAASxJM0H9PAMEcaEau3R8yAH1plAH:+DwxcSUDk36SA7xWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2221) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4716 mssecsvc.exe
4944 mssecsvc.exe
3992 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4716	mssecsvc.exe
4944	mssecsvc.exe
3992	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3108 wrote to memory of 3928	3108	rundll32.exe	rundll32.exe
PID 3108 wrote to memory of 3928	3108	rundll32.exe	rundll32.exe
PID 3108 wrote to memory of 3928	3108	rundll32.exe	rundll32.exe
PID 3928 wrote to memory of 4716	3928	rundll32.exe	mssecsvc.exe
PID 3928 wrote to memory of 4716	3928	rundll32.exe	mssecsvc.exe
PID 3928 wrote to memory of 4716	3928	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3928

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4716

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3992

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
7b43d71dbfb4dc8eba0e3e2a010c5a31

SHA1
ebaca15297aa0a266c5ebf7f22f08891dc83903d

SHA256
133c67eb527809b01c5977c560949ec03c3fb5b87c8ed4bcd38c580c8bfdbd10

SHA512
dbff1d2971ffd81f1a3635b8dd6cbbc0543c4f0215f620bbdff04bbf984bf512a9891e177c14f19e5294455b25b1ca8548d532bd47971fb5eb578603ecc91349

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
aa7f6c30c24531e82018968e7aaf8138

SHA1
1d0723bcd706cbc0ba7b4111b4d18d549ad7a8f7

SHA256
dc3fe9a318d69f41e20f378fbd3368b8b7ce30cf1fa17f8d8318612acd24c80c

SHA512
2a267267bfa44f74cda7e5f58d1c994381b290ac9c0a46ea8276f60db042fb50f7ba32352478910493a4318b2e8436e9468627d2704921a1203079d3fffce0c1

Download Submit