wannacry | 22f08fa4efaf2bd2d87ca337d1b5641519725640f40d190fdcd3875e3b95e999

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75e24aea15162245448361892ea979d7_JaffaCakes118.dll
Size

5.0MB
MD5

75e24aea15162245448361892ea979d7
SHA1

eb45e80dab5f0a686701cb97ea3bbece94f467db
SHA256

22f08fa4efaf2bd2d87ca337d1b5641519725640f40d190fdcd3875e3b95e999
SHA512

1bedbf28adb48e5fdadf5d8635c61462edfd716ba9a9b6ce1227daa280d365ab48510024557f54282891b2e8523f600c5a1fead6cbf78e3269e97e865b337a1c
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:TDqPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2228 mssecsvc.exe
3412 mssecsvc.exe
4588 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2228	mssecsvc.exe
3412	mssecsvc.exe
4588	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 744 wrote to memory of 4888	744	rundll32.exe	rundll32.exe
PID 744 wrote to memory of 4888	744	rundll32.exe	rundll32.exe
PID 744 wrote to memory of 4888	744	rundll32.exe	rundll32.exe
PID 4888 wrote to memory of 2228	4888	rundll32.exe	mssecsvc.exe
PID 4888 wrote to memory of 2228	4888	rundll32.exe	mssecsvc.exe
PID 4888 wrote to memory of 2228	4888	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75e24aea15162245448361892ea979d7_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\75e24aea15162245448361892ea979d7_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4888

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2228

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4588

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
1⤵
PID:3004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
4dcd1a0e69737b7dabfc674939128b3b

SHA1
6b52a9657275749f0bb9aaff087d9e21775f6852

SHA256
a5ba3219efbbf382fb4fc972549afbd7d721c4b49b4af92b8a767ec23de26a38

SHA512
bc4a882c520e5b2aa9c0a91b917e9aa13a1a58e9667ba37030428df0296d3e863e431d8241fc59079b8395e748769e366a68fbada74c1107495ddacb8a9dcbfc

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
52b3e549e037de9a3109704ccd4aaa72

SHA1
f382881b2e454977b4fd4686834866350ef66b94

SHA256
d6361700e59b6339ed38270a4970b512f08f1f9dc8819e03d5b7bded7f1d5714

SHA512
7a232b012b314124a743dd8569a5a5970b4d6bfc0445fd12d74bc203135bd8a8d5f5daf0ce30602825da3a87e77e57192309eefcf96fda6a7439ae6806eba948

Download Submit