wannacry | 8fc37766c6b437ef8f007dda6ad2023f3c50a45290442b0abe00d1682eabc174

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

662718b21bdf61122692c3c5da90f48a_JaffaCakes118.dll
Size

5.0MB
MD5

662718b21bdf61122692c3c5da90f48a
SHA1

7942ab3ba18bb927bbb1d867e5d33dc88c16cad4
SHA256

8fc37766c6b437ef8f007dda6ad2023f3c50a45290442b0abe00d1682eabc174
SHA512

d7e00bbbf641375adda9deee4a08ccd7f2d68c9d8a5c202657d34d8ed5133f84990c98df6fb24e57893c83ff8cb622128c672df35162ac2f88947885fdc053af
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAR:+DqPoBhz1aRxcSUDk36SAE

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3369) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4576 mssecsvc.exe
768 mssecsvc.exe
4008 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4576	mssecsvc.exe
768	mssecsvc.exe
4008	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3368 wrote to memory of 4052	3368	rundll32.exe	rundll32.exe
PID 3368 wrote to memory of 4052	3368	rundll32.exe	rundll32.exe
PID 3368 wrote to memory of 4052	3368	rundll32.exe	rundll32.exe
PID 4052 wrote to memory of 4576	4052	rundll32.exe	mssecsvc.exe
PID 4052 wrote to memory of 4576	4052	rundll32.exe	mssecsvc.exe
PID 4052 wrote to memory of 4576	4052	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\662718b21bdf61122692c3c5da90f48a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\662718b21bdf61122692c3c5da90f48a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4052

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4576

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4008

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
1⤵
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e287d484beb2d316752752fa77568ea4

SHA1
8f3e23265db7635e369fb262ae37cbd52301c0fb

SHA256
9645a834491bb864d1c5d89453202960a03aed946a9998ee0c89a251ba683eab

SHA512
ff0eaa6c161111ab98487c84dc0a12d7068febc44987d03163e6dbfa50e84e27fea1413904787518d8f1d593d3843d4a7efddee307a839ed926be0dca45dec2b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b4dc894fe688f15b1b27a226e794c396

SHA1
f0d2bfb3c12e5efe9af0205af2b3e0ad147540fa

SHA256
149d329238b3791ea6734016c0ccba29eec0267625f1062653edfc1975d4062d

SHA512
2caf09576ceb2cad251e6cdf8651d227a06a9e43f63066adeb501eca14d56ffccbcfcd89a5d5714d33243274d16eb4e89e8e45638f9c9c9991f7e7517bd155e7

Download Submit