wannacry | 0a7ae3f256bbea33dafdab8ac7bfe206c2527a03bd6f3f4185ebd4c8593f170c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

914fa8b79986c8b1811f42daf3858e4c_JaffaCakes118.dll
Size

5.0MB
MD5

914fa8b79986c8b1811f42daf3858e4c
SHA1

769a5a99cb0daeb4817f6e5708a31387cd49fc8e
SHA256

0a7ae3f256bbea33dafdab8ac7bfe206c2527a03bd6f3f4185ebd4c8593f170c
SHA512

24ab0f9127850edd312ecd352815049496aa06cfef13b5c0a89f234678b84a2ba6914d3454ce793b8fb08e2f03de8bbb7d6206ec9f1d9792c927930be2bd7230
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJMDlAH:+DqPoBhz1aRxcSUDk36SAEdhvxWD2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3264) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1512 mssecsvc.exe
3184 mssecsvc.exe
2720 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1512	mssecsvc.exe
3184	mssecsvc.exe
2720	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2040 wrote to memory of 2136	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2136	2040	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2136	2040	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 1512	2136	rundll32.exe	mssecsvc.exe
PID 2136 wrote to memory of 1512	2136	rundll32.exe	mssecsvc.exe
PID 2136 wrote to memory of 1512	2136	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\914fa8b79986c8b1811f42daf3858e4c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\914fa8b79986c8b1811f42daf3858e4c_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2136

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1512

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2720

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
7a080215151f1f312751bb7941ee8f86

SHA1
5ff418d9ca40ba961eddc114b1e18f52eff66439

SHA256
926e5bdd79bca9420867e9f44c11688c42164885b317df7cea9c1b52ba83d5ec

SHA512
946c646fa0f5d904bf428e14985164ef090bc3f8944a097f9eded0d8977a3db39ef894b3c6e1fec2bb957a2853e1ffafa33c41ce189ea36960afbc26b31bbc1f

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f4eebe38c2a8a8e973e09c4a51a6cbbf

SHA1
667f5bb9b97a4073beeb2e60c8e59f7777145ee3

SHA256
c48a9f8243ea58d1685a5859c11108e4d2b9c0812aa8812be9ae2d273a648082

SHA512
3091a415df2098f6883c504bab7279c30d92c6c509fd541b3ca3cb6c807b7e9a052cda93bc7b23379e04411d282e595db9428859c06f8edb19ed023f5dfba844

Download Submit