wannacry | 46fb5d108b98f5d7ba3e3d9d8eb47078d5de6e4a93a2a15ba35038cd9eac7416

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9981f085be37a7911978dadd3596379_JaffaCakes118.dll
Size

5.0MB
MD5

a9981f085be37a7911978dadd3596379
SHA1

f79c43f6032339d9c3845f3188f15010311c173e
SHA256

46fb5d108b98f5d7ba3e3d9d8eb47078d5de6e4a93a2a15ba35038cd9eac7416
SHA512

6befc04ee4562ef8757d9443b58b26eaf95e1af430cf25b3e7face5a05a40cb774565a8b3035a346bcc2a002a49b1f5dfa4bf16ef4614e351ce4f7e543d83f03
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5K3R8yAVp2:+DqPe1Cxcxk3ZAEUadeR8yc4

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3341) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3400 mssecsvc.exe
2872 mssecsvc.exe
3496 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3400	mssecsvc.exe
2872	mssecsvc.exe
3496	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5016 wrote to memory of 4056	5016	rundll32.exe	rundll32.exe
PID 5016 wrote to memory of 4056	5016	rundll32.exe	rundll32.exe
PID 5016 wrote to memory of 4056	5016	rundll32.exe	rundll32.exe
PID 4056 wrote to memory of 3400	4056	rundll32.exe	mssecsvc.exe
PID 4056 wrote to memory of 3400	4056	rundll32.exe	mssecsvc.exe
PID 4056 wrote to memory of 3400	4056	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9981f085be37a7911978dadd3596379_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a9981f085be37a7911978dadd3596379_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4056

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3400

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3496

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3884,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:8
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
a6cf0063c310eff7191fba13053327e3

SHA1
edc0de3f1e1e95bee18dcf2fbfe3ed1e41047c73

SHA256
ebe23a239ca7be087cf17fe324379bb2f86fa1e2051b72e945254f83e453f1bf

SHA512
86d3e472de58185a6d0c763398c067bb1ecff20f848322a58aa5024435ffcc565f6de363b770960589b9223542fcf23379e9e00f2bfb98d70255c54425fb468c

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
10257bc6a0be95ba773b16aa106767a3

SHA1
7c5a6de791c5791293b8ba9306f2cd1bd30dea8f

SHA256
342ce7cab19d9404536f07fa585da89adb3a86cb8bfedfba8fa32e60698a93e6

SHA512
eaffdfed2de4da4727975a0c365ad636f6e842f724fe29840ad7bb4380c0cc32aa7ccbcb92a68013e798750b0e58f4c748df1a5bb9722aad3c07636d49e998b7

Download Submit