wannacry | b5ead8b0f1b16e949da0120d08e2317be002dc4fcc3767d7620276814d4b38b5

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

840d481def0fe53c5cbc67ec8e4a1641_JaffaCakes118.dll
Size

5.0MB
MD5

840d481def0fe53c5cbc67ec8e4a1641
SHA1

760dfb092ada4f6088d75c6ff24b1ded25a71e87
SHA256

b5ead8b0f1b16e949da0120d08e2317be002dc4fcc3767d7620276814d4b38b5
SHA512

2fff2ad38d84136a4bb445552f6bbc7582fe23f19f5c0425bb2b9b84b1a303e522d36b2a5153d07f375231134765adf4ea78d52ca53b26222399a3351f4250da
SSDEEP

49152:znAQqMSPbcBVyINRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEau3:TDqPoBsaRxcSUDk36SAEdhvxWa9P593

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3065) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1612 mssecsvc.exe
1284 mssecsvc.exe
748 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1612	mssecsvc.exe
1284	mssecsvc.exe
748	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4504 wrote to memory of 2184	4504	rundll32.exe	rundll32.exe
PID 4504 wrote to memory of 2184	4504	rundll32.exe	rundll32.exe
PID 4504 wrote to memory of 2184	4504	rundll32.exe	rundll32.exe
PID 2184 wrote to memory of 1612	2184	rundll32.exe	mssecsvc.exe
PID 2184 wrote to memory of 1612	2184	rundll32.exe	mssecsvc.exe
PID 2184 wrote to memory of 1612	2184	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\840d481def0fe53c5cbc67ec8e4a1641_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\840d481def0fe53c5cbc67ec8e4a1641_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2184

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1612

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:748

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
be3f23eb348025da14f5b09c0b4f69a9

SHA1
2c854208447a176d5c662466b6164c08106c7e65

SHA256
5d24a9562cf938e0ebc25ed77165499d578fa05d92e1d44be429c656b0b97b19

SHA512
6e8d564e4496fa7f272dde88996f8a00a6ecd9afd10c09029fae8dab745809fe637ee27f0a3ef7ff1f3137eeed8945cbf5e2e142b87af8cc2c0d97af953befa2

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
2365b3b1700a71b9c952ca54d7e08122

SHA1
b5484fc668aed29e98d025928ff0848177216921

SHA256
8e3171a391430e4efc2fda4f7feac3e118da00d08e415368bb0d0c487d676510

SHA512
54518f9aa58a8b7795d9e883f7bd3e0adc41e2756e7cbda92a920ac85d84e478a280ee1c2c5e96277a5e0e2c406c45985af9a80874bfd1503515e58601e02fc7

Download Submit