wannacry | 552efe8f5efb8129a4d833ae6ed783641cf9f471da4bacc677ae29710e4bd50a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b23051106c6756a8e53341d0d9fff7a_JaffaCakes118.dll
Size

5.0MB
MD5

6b23051106c6756a8e53341d0d9fff7a
SHA1

e008eace53673b85ffb20f1e7f002a6a0579bfa4
SHA256

552efe8f5efb8129a4d833ae6ed783641cf9f471da4bacc677ae29710e4bd50a
SHA512

3bb5495b996d7184f19787b099190a3cc8f76ac116238647d653feddd0abca0bcb94d10f7290238ebf2888ddb1f8d35ef7f3bb3693dc24b36033914490742377
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5gj:TDqPe1Cxcxk3ZAEUad

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3132) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2784 mssecsvc.exe
3016 mssecsvc.exe
3500 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2784	mssecsvc.exe
3016	mssecsvc.exe
3500	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1500 wrote to memory of 2196	1500	rundll32.exe	rundll32.exe
PID 1500 wrote to memory of 2196	1500	rundll32.exe	rundll32.exe
PID 1500 wrote to memory of 2196	1500	rundll32.exe	rundll32.exe
PID 2196 wrote to memory of 2784	2196	rundll32.exe	mssecsvc.exe
PID 2196 wrote to memory of 2784	2196	rundll32.exe	mssecsvc.exe
PID 2196 wrote to memory of 2784	2196	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b23051106c6756a8e53341d0d9fff7a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b23051106c6756a8e53341d0d9fff7a_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2784
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3500

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4148,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
a91fc9d224468e8f1dfd7d8eb367074e

SHA1
a418b11a42b9f713dcf9f7c40a81b1709d623ea8

SHA256
a8ecd2fefa1b2990ddb36343411576daa6c862cc94b6d820d1e0c4bb5b84d113

SHA512
397e207525788e1d795268c01479909ee726aec2c387742cc77d546386076e0b56c82a7b6e964a75a2375cfe9ab2ef5d099d122ba49e3a62d2db1c105e2b997d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ff729d23b1353d619c6dbaef97e47887

SHA1
66e490eff1b2630734b1f13eee21d29e4d7892d6

SHA256
2ba75b1a66d10af36e5bdc37ecd764914b511e0d96a82f9f61baad90c17cf1bb

SHA512
c35fc7481592a0591774bc431f0ada31dd29093251cf8d1e42af81a73145926425846945fe23e5f85cf3aeaec198c9f1123a1cce04f7179374f313a5d11cc5c9

Download Submit