wannacry | b82a3bf3316df0fbd083b79291eebc6774ad6fd95cd8ce3852ab7800df0e019a

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll
Size

5.0MB
MD5

60dff2345008f59be49d93a84a0e0b9d
SHA1

0da7ed476a6ebb6f8191958c3368f06a65ec28d9
SHA256

b82a3bf3316df0fbd083b79291eebc6774ad6fd95cd8ce3852ab7800df0e019a
SHA512

6112d4963d009b9af83325a2f0f388b82a4fc462750885ee6c5e536cc493471d2bda10e1dc730e2df2ae823362cb7f0218457336472e5dbcbb4d63a2984b0d85
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhNREroVeiC9avc:+DqPoBhz1aRxcSUDk36SAEdhFeP

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2884) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
408	mssecsvc.exe
4128	mssecsvc.exe
1812	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3532	4596	rundll32.exe	91
PID 4596 wrote to memory of 3532	4596	rundll32.exe	91
PID 4596 wrote to memory of 3532	4596	rundll32.exe	91
PID 3532 wrote to memory of 408	3532	rundll32.exe	92
PID 3532 wrote to memory of 408	3532	rundll32.exe	92
PID 3532 wrote to memory of 408	3532	rundll32.exe	92

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:408
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1812

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
3c82571e0ab3aa17efb8fce3fef5df7d

SHA1
e1e9b4bfb2fd00cd960b6c149dd2ecb07c995ed9

SHA256
c62bacc4507bb21fbfcfb0024ba471706906f65d2f5178699ac2d8da0de74e89

SHA512
dbc407336536126159e8e66dc9d04f1c823fd0c423fd8d16ff1b4dad2ed0b4ba7e13d555f26e1d2c3b040dd0e6448f065c52ce32be81bc3841a0f5b8cbb3307d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ae1a32d6d3cc75900702d74bebc95cc1

SHA1
fcc6d144365307cbc01ddbd5680aafb33bb43884

SHA256
c1b64c007a33c22b52488c11224d8b170cdfbe67fe2741c76bd272ae15a90e4d

SHA512
8face209838ecf9ae0bd896690d2313ff608355879fdd425f0aa336a9731c361380b0f6a0adc787ee81f8f52a414c2c23197d3461ac9a457ea9614df287bc4f9

Download Submit