wannacry | a2bede7a6af54bbc78a70f0e5753d96a4450838b5abe34f745aa65d54bed1e03

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9005e4d095a0d9e8e85aa7f66843f0bc_JaffaCakes118.dll
Size

5.0MB
MD5

9005e4d095a0d9e8e85aa7f66843f0bc
SHA1

e14878beffe3b2bd36066ec8519dd7418a6aa4a2
SHA256

a2bede7a6af54bbc78a70f0e5753d96a4450838b5abe34f745aa65d54bed1e03
SHA512

62566a370b5e94ffd94b67ee53dd1a65db1c26a2260281b6d5d212ebe0dac25fdc667bd54cda454fe5d8d8e88a03edf81dca3e5ca150a31d31eb8a702e9b5f0a
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjGQAdNLKz6626kH1pNZtA0p+9XEk:SnAQqMSPbcBVQejbNRAkH1plAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3301) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3196 mssecsvc.exe
3216 mssecsvc.exe
2992 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3196	mssecsvc.exe
3216	mssecsvc.exe
2992	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2960 wrote to memory of 1332	2960	rundll32.exe	rundll32.exe
PID 2960 wrote to memory of 1332	2960	rundll32.exe	rundll32.exe
PID 2960 wrote to memory of 1332	2960	rundll32.exe	rundll32.exe
PID 1332 wrote to memory of 3196	1332	rundll32.exe	mssecsvc.exe
PID 1332 wrote to memory of 3196	1332	rundll32.exe	mssecsvc.exe
PID 1332 wrote to memory of 3196	1332	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9005e4d095a0d9e8e85aa7f66843f0bc_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9005e4d095a0d9e8e85aa7f66843f0bc_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1332

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3196

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2992

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0dd894c2b7e8b979411143e4faa423c2

SHA1
5c33f34321b7d8b69e207e4e8d5c74de9a94d679

SHA256
779b7c918ad063f1f5aade311e168a682959a9ad559d4bdd8868a31480bb88ee

SHA512
19ff1d83b915c7993a4c6de03c6196f337bf82e3700254f160adb5d972ee93b95946ad408d2361f5dda529aed52e38b0723badab7c6f5010ec62b063635634b6

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
33460411209159f501eb2983f15386b6

SHA1
379f12acf27f114de91878b3a6c06ae680b99e35

SHA256
85524147c1dcb9d1074ab6e2b49535aa056cd7c997500df57ce6f35a6c4b39aa

SHA512
a2819fc8de31fce03211c677872d862f0f22fb56a4659af84ebf9d6824981ed620c70fb90e723146e2896255e5bc37bcab983a89c83614eda54676dd0a12358e

Download Submit