wannacry | db2102e6a647005f717126b68954b23bc7c1baa5baae3cc6a6de620caf69c9ad

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e6bec90c3c40eeb623346a64a673c7a_JaffaCakes118.dll
Size

5.0MB
MD5

8e6bec90c3c40eeb623346a64a673c7a
SHA1

ca10ff363aa0dd8891ad313f3fca34b992b886bb
SHA256

db2102e6a647005f717126b68954b23bc7c1baa5baae3cc6a6de620caf69c9ad
SHA512

e1f91142b577e42a65da53f2105a2e43e962ff86bc0b87b1f91a30fbc5d7594b5a6e200b325119356c10b16c7ee8178606595320833ecb52e75c18f6993d249c
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPVX:SnAQqMSPbcBVQej/1INRx+TSqTdX

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3106) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1196 mssecsvc.exe
1132 mssecsvc.exe
1420 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1196	mssecsvc.exe
1132	mssecsvc.exe
1420	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 484 wrote to memory of 1620	484	rundll32.exe	rundll32.exe
PID 484 wrote to memory of 1620	484	rundll32.exe	rundll32.exe
PID 484 wrote to memory of 1620	484	rundll32.exe	rundll32.exe
PID 1620 wrote to memory of 1196	1620	rundll32.exe	mssecsvc.exe
PID 1620 wrote to memory of 1196	1620	rundll32.exe	mssecsvc.exe
PID 1620 wrote to memory of 1196	1620	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e6bec90c3c40eeb623346a64a673c7a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8e6bec90c3c40eeb623346a64a673c7a_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1620

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1196

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1420

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
ce87f80f5f2ac09c0de1e29baa323abb

SHA1
4e294d9380b0b62ebc73a82d1577e0d21df54242

SHA256
6966177eac33ddaf15529f7772f7344f8d223ff8d97d110383fe0574d8f91ac6

SHA512
5de33e9af491ffb15cec8acbb46addd04975c820499e2b49125c8c74b2a88fa3618eb92e4e79856b4234a4169a362099d0b9c5f70c599082cb84a60ef104772f

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b80f0fbd7fc31d8a72ada4357505ce3f

SHA1
4ec89064276a24988f05fd2524b1dfa8d4f9b9ee

SHA256
d69f98a929690bdc77fbc0c2e77519d9e5c93ba954f1921749961d17dd5305ff

SHA512
2fdd794799d5da6f4c5dfa34d08515c3d400fd0d53e04b5d509274379b9df46207aa09ea93258338796e83b2b62a18e44eba8a925ecbd9b5c19a2edbdc64b898

Download Submit