wannacry | 1fe8c9aa6cae51464d6a30e49758c0a7bdef1766b5e7f0fbc03468fc5018583c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll
Size

5.0MB
MD5

a7ad39749481cbe97852995ca17dc79f
SHA1

71be9aab613b8323377213ab2d0f1b27eb3b7777
SHA256

1fe8c9aa6cae51464d6a30e49758c0a7bdef1766b5e7f0fbc03468fc5018583c
SHA512

5f52ebc4eef192b98a665992fd8692857c97df63962396614c9bce1852fe8e8cb1936c3af1404acd92462d1d28c2860ea4e395f6152ed4805220fb3b0257b150
SSDEEP

49152:SnAQqMSPbcBVQej/1INRdSqTdX1HkQo6SAARdhgFEnAEYc8c6Ri5WN6njF2nAEYH:+DqPoBhz1aRdSUDk36SAEdhn

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3206) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1544 mssecsvc.exe
2096 mssecsvc.exe
2120 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
1544	mssecsvc.exe
2096	mssecsvc.exe
2120	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2064 wrote to memory of 5052	2064	rundll32.exe	rundll32.exe
PID 2064 wrote to memory of 5052	2064	rundll32.exe	rundll32.exe
PID 2064 wrote to memory of 5052	2064	rundll32.exe	rundll32.exe
PID 5052 wrote to memory of 1544	5052	rundll32.exe	mssecsvc.exe
PID 5052 wrote to memory of 1544	5052	rundll32.exe	mssecsvc.exe
PID 5052 wrote to memory of 1544	5052	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5052

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2120

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
a25bece31e4c4348c705d61b775cb557

SHA1
8287bbd0daffbcfeb3c651f949dc665b20f47fc9

SHA256
fe8c7e7fe819bf178af0977c36932acaf9b2af904accfd6eff67d436ac4e57c5

SHA512
57d812790a778f99b95df24bf303c980bb91b56be5916302e879a82158fb7158367c0167b9a9198fd78dc1a57e1bac1692e236b89c8ab6c46720b698e84bb171

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b8c04e629eb09b7ec4ddc4bb4fa4d4ff

SHA1
3e71fa5abc40f30e8eea5a3af92e3eec17df9376

SHA256
3802abe3243ffcbfbb8dba64faca34b985b0d07981eb56cbd31b6884ea46c0bc

SHA512
11b5e1fb2abecef2e5b54871c0549e710c9509c264cfd3423de5ef727cbd67a2e9bf96e9c5935ff2a0ee2461dafd2b77e4c55365dca9715d9edf21f6e86ba326

Download Submit