wannacry | d95046fcae8f8b55b9a2c5af4f06f1355a7540af084ac4246ca576115f8b892b

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll
Size

5.0MB
MD5

90c8869e6e9d1f1b1b1f221fb032e218
SHA1

dcad9af675d7b34dab3e48d880ea9c7caed17e19
SHA256

d95046fcae8f8b55b9a2c5af4f06f1355a7540af084ac4246ca576115f8b892b
SHA512

3cd7847e617048af2e369ef1f93687ca02e60ca3aa1f874a25c3ed9f1b334bcad2cf71ccb3aef025d76dfd6c7a378b2c599a67b14641a5275cdf2df012843baf
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef09EcpcL7nEaut/8uME7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBV9EcaEau3R8yAH1plAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3352) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3208	mssecsvc.exe
632	mssecsvc.exe
888	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 3212	2512	rundll32.exe	90
PID 2512 wrote to memory of 3212	2512	rundll32.exe	90
PID 2512 wrote to memory of 3212	2512	rundll32.exe	90
PID 3212 wrote to memory of 3208	3212	rundll32.exe	91
PID 3212 wrote to memory of 3208	3212	rundll32.exe	91
PID 3212 wrote to memory of 3208	3212	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3208
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:888

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4624,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
425027950eceb3ef8618a41d4c2c7561

SHA1
699a7ca5c7d80efe6686626e3cb0dead45c160fa

SHA256
aecbe9a152fa04a3d621917d9dbf46a00d0f48832ef72763d8a36e7d741e3f69

SHA512
67d9198eaeb7d223ea63468155df4398a52f00c8fa8a04806476e37f81a1a6b1040df5bd826c335ccb8f063834067a38cb912dc58841699207550a836c4662ac

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
0d69feba1b77be64ffe3e073ceac533a

SHA1
a24bbc7d295954433f2f2b897bc4c48a3bab698a

SHA256
0bba41a3a33d8a913dd6ef84a371661da83d724a191f7cb2fa09753f913b80df

SHA512
83e4e65cf686235020ee2bcabd6f90be81a35a8d43f90d671f22a6136b41c0b1ffcc13416d6c2a7de02362a2dd288fe3058e4e4d924544117b0c675f2dde5259

Download Submit