wannacry | 957d41b5af564362c88ad2a2033c92c60f17d4ca7fe10a6805e7bf346d7b3e56

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

430fb88c25b9ce5f5f8f6666538a214d_JaffaCakes118.dll
Size

5.0MB
MD5

430fb88c25b9ce5f5f8f6666538a214d
SHA1

6959809a973e3b4a4a0beec37b1b774e8238ca9b
SHA256

957d41b5af564362c88ad2a2033c92c60f17d4ca7fe10a6805e7bf346d7b3e56
SHA512

15452ce796deab26209c95c347b311128fc45a4e324d3bf1eae535585beb3b1cd90df93948d33c354dcc15b377c3fa532a87902fc6b0041b054a2dd1cbbced18
SSDEEP

49152:SnAQqMSPbcBVQej/1IhJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBhz16Wa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3017) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1360 mssecsvc.exe
5076 mssecsvc.exe
3816 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1360	mssecsvc.exe
5076	mssecsvc.exe
3816	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2432 wrote to memory of 1340	2432	rundll32.exe	rundll32.exe
PID 2432 wrote to memory of 1340	2432	rundll32.exe	rundll32.exe
PID 2432 wrote to memory of 1340	2432	rundll32.exe	rundll32.exe
PID 1340 wrote to memory of 1360	1340	rundll32.exe	mssecsvc.exe
PID 1340 wrote to memory of 1360	1340	rundll32.exe	mssecsvc.exe
PID 1340 wrote to memory of 1360	1340	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\430fb88c25b9ce5f5f8f6666538a214d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\430fb88c25b9ce5f5f8f6666538a214d_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1340

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1360

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3816

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
b7617437a4242212117fede7742af59c

SHA1
0b7c9e501adc2a83ed17e77fc2ab317999b010de

SHA256
9f3b097e80ab46b255c83242747cc1958c92e8cc08716b363fa0756d8532f6ba

SHA512
fcc2b8dd5fe91a8675cd8b4f173f4845ac4ee254c159d69f9d611480e9e67d3c05674b0bdde44584115c663de199aa2fcba31e5fb531dd7b2631b362e144247d

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
4dfd668a3c4cdbfaad7e9d4456647581

SHA1
fb7b0939abb03c92f6be6af36fa65d2914180576

SHA256
edb99870a96bceb131e2c83031490a2738a9bd202c0d20add651472401cc4776

SHA512
c50ee5b37850a110036faec679adf4f9a825035c6df4899f2e38da34037901fc1f07e3d703f1ace158a36068d031aa95a8d4adf0190f57203d0d501cbca053e1

Download Submit