wannacry | 21042a7b67316cad948aed3b784fae60aa215f0b8e11d2fcce566b1080b8cbdd

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b15c022f3f18663b835299793cedc631_JaffaCakes118.dll
Size

5.0MB
MD5

b15c022f3f18663b835299793cedc631
SHA1

24d77f6019b1fe5396147ef6a577103a7d1727ef
SHA256

21042a7b67316cad948aed3b784fae60aa215f0b8e11d2fcce566b1080b8cbdd
SHA512

73170bc873820471ca21d5b16e0cd5dfabd8bb574ba829fff34353b210eea89543abf2ef8853815df64963aa3eff2159df3f3c27cd2abd8179a61b4ffb91a510
SSDEEP

98304:+DqPoBhz1aRxcSU8xWa9P593R8yAVp2H:+DqPe1CxcxadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3088) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2396 mssecsvc.exe
904 mssecsvc.exe
4316 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2396	mssecsvc.exe
904	mssecsvc.exe
4316	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3404 wrote to memory of 1248	3404	rundll32.exe	rundll32.exe
PID 3404 wrote to memory of 1248	3404	rundll32.exe	rundll32.exe
PID 3404 wrote to memory of 1248	3404	rundll32.exe	rundll32.exe
PID 1248 wrote to memory of 2396	1248	rundll32.exe	mssecsvc.exe
PID 1248 wrote to memory of 2396	1248	rundll32.exe	mssecsvc.exe
PID 1248 wrote to memory of 2396	1248	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b15c022f3f18663b835299793cedc631_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b15c022f3f18663b835299793cedc631_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1248

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2396

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4316

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
11ee9c8a2d541a9409ac52aa4ed0092e

SHA1
6f99f7c62c3f8941d5aef6f6c12efb8ce97a63f4

SHA256
0c8cbd7893cda0843f3ca95c92f96a0775ff81c2fc6aea0783634c247f2c035c

SHA512
81713df4b904df18ff33dc72b2858385f9067b962b73f784558f3eaf8e2755142c2c54749422693c8074ee349b023a8b33c566b6e90b598671e8b93a7a3312d7

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7688e306fdad9117a138e0e7f1cb78ca

SHA1
ea396123b58d6fbb10c57eb6a8a837d55b42b5f0

SHA256
74edfb491a79580bda5953d2149930eb9b5941f3c71a76db919d7d98a841143e

SHA512
0555afb491769733090936da2461da479e203dce865fd6ab4a4df3679a224597ca3ba72cb7182dfcb398391cfa7ce8d72bdaf1699ec97dc2b1581f81bf87c788

Download Submit