wannacry | 98ed58ffb88ac0656e8e53ce2c177ec4ad8b237b7ce28e60dcfc85668669d487

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88a5b67273b8a51d3f4fbfd4b2136ae8_JaffaCakes118.dll
Size

5.0MB
MD5

88a5b67273b8a51d3f4fbfd4b2136ae8
SHA1

2a51d83b5a27be37d3074f4c2bcf94a89c2d0821
SHA256

98ed58ffb88ac0656e8e53ce2c177ec4ad8b237b7ce28e60dcfc85668669d487
SHA512

1a618d658c2f3d988cf9bc2eac8a69d8114081ac113ede4480ccaeef290b9dad7e98fc386ed396d63ac208333fa60c3aca6c38b9bf3ef4f76a2f0ada86a30a9b
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa99TTKH2ORi8:+DqPe1Cxcxk3ZAEUaHTy2

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3285) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4520 mssecsvc.exe
3448 mssecsvc.exe
4032 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4520	mssecsvc.exe
3448	mssecsvc.exe
4032	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2828 wrote to memory of 1996	2828	rundll32.exe	rundll32.exe
PID 2828 wrote to memory of 1996	2828	rundll32.exe	rundll32.exe
PID 2828 wrote to memory of 1996	2828	rundll32.exe	rundll32.exe
PID 1996 wrote to memory of 4520	1996	rundll32.exe	mssecsvc.exe
PID 1996 wrote to memory of 4520	1996	rundll32.exe	mssecsvc.exe
PID 1996 wrote to memory of 4520	1996	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88a5b67273b8a51d3f4fbfd4b2136ae8_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88a5b67273b8a51d3f4fbfd4b2136ae8_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1996

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4520

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4032

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
1⤵
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
8d5e68fbf80ef3ce211c7b63b1d9fda2

SHA1
76d6f2fd29296dee7bfdda4f905e03e4eb754b1a

SHA256
0a33f43fd1c516b4f6cdef1a1131c701e4b660f0c7318b52dd643d4e0c65922d

SHA512
1da54d41be37ae7597bc6a8301c062185d103b6ce920c1ac14cbab6b32e03981b39be094efa45d8a7653a2f4d1f5868bd5d5454a8e3b985b7482337cf89fa5fb

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a1e7a2859047a51c9925212e5d549846

SHA1
1f6fc9f4d36b091d642c8879721be425da54b16f

SHA256
a184eccf04d4b905cbcc0fb09b9f1b33babf619202fc80ede41ed02fc344596c

SHA512
63f2fc9a15172bb65916c2485126a02f0e8885f86ed24759e075996d9f37d7efbf4a131d9e2e2d856497e560c6c8a2386b0a4f0046730834e4f075b6abb109e1

Download Submit