wannacry | 8a162b0f97a5694c24ad499f2d3dd9154ba0f6f1eeedf8e2f4ed44ed3fa63cb3

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3e847c9251a9a413bc8fd4d191e8ca0_JaffaCakes118.dll
Size

5.0MB
MD5

a3e847c9251a9a413bc8fd4d191e8ca0
SHA1

e7d1e729fb23b78438eeab87b428cb92e986f12c
SHA256

8a162b0f97a5694c24ad499f2d3dd9154ba0f6f1eeedf8e2f4ed44ed3fa63cb3
SHA512

478728b3786632c2e600fa78680ce47908f3d5a6e5b100cc481b3cb8ba3a241f2db45beee32c0af5b8f4e4b0d84fbdcfc238e13fc82c8b958f25a416a8d023f5
SSDEEP

98304:TDqPoBhz1aRxcSUZk36SAEdhoxWa9P593R8yAVp2H:TDqPe1Cxc7k3ZAE/adzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3188) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3948 mssecsvc.exe
2524 mssecsvc.exe
4972 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3948	mssecsvc.exe
2524	mssecsvc.exe
4972	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3328 wrote to memory of 2440	3328	rundll32.exe	rundll32.exe
PID 3328 wrote to memory of 2440	3328	rundll32.exe	rundll32.exe
PID 3328 wrote to memory of 2440	3328	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 3948	2440	rundll32.exe	mssecsvc.exe
PID 2440 wrote to memory of 3948	2440	rundll32.exe	mssecsvc.exe
PID 2440 wrote to memory of 3948	2440	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3e847c9251a9a413bc8fd4d191e8ca0_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3e847c9251a9a413bc8fd4d191e8ca0_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2440

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3948

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4972

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4484,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
dd3779d8387c7d2ebcccb105b8257c22

SHA1
b11da38885ab6a7e02f5163e5770476dc5b299b4

SHA256
5fd982c89f40cd5585219f84689b7f75e61ee4e4b2e78f69c3a49e32f505ac3a

SHA512
c316b57ee0db5d52a73118ea22cf6532e684c0baac8a6292f50dd63e6914ee58e796942133a0c54bc1430fad23d0c7a362631f81e6845488e2f762fd712f7718

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
4a264a7f5d53db28d2837e75ce739d27

SHA1
fe8f14a2bd4c686030e16073fcf55a5244506235

SHA256
2ccc961e81830b1ffb8afad488383f1437a40ea4c30a2a16ec573f1f5b8b07de

SHA512
8d8c3ac86c535eaeacb1cc80ab75c03a1778099db0e4b77db861bba7cea398645beca968050491a6eb9ccf011189b364388375c8c1bb83129edbe3cf7fe0a36b

Download Submit