wannacry | c687a8a161b7722282c35d4413b14ba454001a509850a64cd35050481a8cf60f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

513d519a1542b8ae4c25cc02cff2d2e3_JaffaCakes118.dll
Size

5.0MB
MD5

513d519a1542b8ae4c25cc02cff2d2e3
SHA1

5bf8da7dfc2fd5b756a59ee7325ec2ab45e6cc2d
SHA256

c687a8a161b7722282c35d4413b14ba454001a509850a64cd35050481a8cf60f
SHA512

1740e4ed73d61682e0fba185d045fa25c5ffee45b37177bf00292e1168d09c9964f14f86f49475f1b7fe125de23524334ea9d7ba2b96585470166c48aa4e9d44
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R:TDqPe1Cxcxk3ZAEUadzR

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3373) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1832 mssecsvc.exe
5020 mssecsvc.exe
4900 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1832	mssecsvc.exe
5020	mssecsvc.exe
4900	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 728 wrote to memory of 1492	728	rundll32.exe	rundll32.exe
PID 728 wrote to memory of 1492	728	rundll32.exe	rundll32.exe
PID 728 wrote to memory of 1492	728	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 1832	1492	rundll32.exe	mssecsvc.exe
PID 1492 wrote to memory of 1832	1492	rundll32.exe	mssecsvc.exe
PID 1492 wrote to memory of 1832	1492	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\513d519a1542b8ae4c25cc02cff2d2e3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\513d519a1542b8ae4c25cc02cff2d2e3_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1492

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1832

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4900

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
1⤵
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
3ebdc37021a17453b25a109c998b822b

SHA1
b1b8c3ad91b7426edd5770b07852ad80d2e299ed

SHA256
069188530be4866f8a5f481fa8868700f63fcb23dc7a3fe81792190b22e50c77

SHA512
f821872ec93f4ec8247c523b8e65ebcd0ca5645cba0193e0c18d618b246e4badfa34eff827ab949a493a44c23058eb6797e09670b5785ad593f9954ca078afdb

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
8d3175901b880895e04969f34a94db7e

SHA1
7ba2e3860d6cb17c4bb728d8c0c366ebca5c1953

SHA256
5f23927337366102bc0ce281f8c9dbe04afc0615fbe48674a3c6c6463c054762

SHA512
76f777081f5cb57c657e4bc647e6e651b907a849620f3377b0805f73a06fc9c08c4ff84d032436bd0edcbadc9ed324132dd26694e6976e09da32c924be09e8ee

Download Submit