wannacry | ea2751585258f3838bbfcd95d3ba740e5f80354d017f6fcee8c2c12c5bf1594d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll
Size

5.0MB
MD5

a7e26759af6012ba56a6b9c7a46e2179
SHA1

47d8d54fc9984937a86f310880660463828039c6
SHA256

ea2751585258f3838bbfcd95d3ba740e5f80354d017f6fcee8c2c12c5bf1594d
SHA512

2729a61016127113ccc891448bf8be88d290f9cd3d82bc6c56521dd291307e09f4e3e907d326b06570acdf9d4736407f0adef6bd2b103903249a8b40f4d51fcb
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAM:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3271) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

8 mssecsvc.exe
488 mssecsvc.exe
64 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
8	mssecsvc.exe
488	mssecsvc.exe
64	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1228 wrote to memory of 4724	1228	rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 4724	1228	rundll32.exe	rundll32.exe
PID 1228 wrote to memory of 4724	1228	rundll32.exe	rundll32.exe
PID 4724 wrote to memory of 8	4724	rundll32.exe	mssecsvc.exe
PID 4724 wrote to memory of 8	4724	rundll32.exe	mssecsvc.exe
PID 4724 wrote to memory of 8	4724	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4724

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:8

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:64

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
1⤵
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
0e385950e7210bba989540cbc41a982b

SHA1
c1b50c80be5c5094f97835f283bc0bf183d018b5

SHA256
a73d1495bbac556ed8c4b6dab883f87929a566a8d65db2e95308e3082b207fcc

SHA512
c9bf020b34f14790a7479e839d5b7c5946c1c09c0e2713d302088c651c75f3e6e295d41130db972a0adef1e697bdba6c1c554d16e587628ccb92952d0a7e50ea

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
dd2435f261e4fa0a098d761847610b31

SHA1
c277ea09565541d120eb38d21e6df06a6ae8855b

SHA256
6d234a780e094198adbcbb8e31b943b0a81f56ea130a86f62d2f003cf19ae21a

SHA512
eb716d8b5aff90fcfd03cab3aeae1be04d4346d20b68e28c49dc9442d9ca60f32a098061cdce5cf3f4087541413130cb5279f4bb334d1d65da013bb18b2f50fc

Download Submit