wannacry | 4410461ac4c1e7c17d78d3b60e2eacbcbfeddd208c9b752613797f8a8058bdc5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll
Size

5.0MB
MD5

b22b6d701e2a273e7de63b84050f082c
SHA1

38048d68ea12dac1e44d37eb8ff60b73949fac25
SHA256

4410461ac4c1e7c17d78d3b60e2eacbcbfeddd208c9b752613797f8a8058bdc5
SHA512

f6b0e5018899f161de4c80b07c655476321dea65c4a5e4288904b678f43ba0f9bade258cf3cfc74b1c45a65a16717b89f7985a36bf73b4054b35f3138c568261
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhx93R8yAVp2:+DqPe1Cxcxk3ZAEnR8yc4

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3357) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1044 mssecsvc.exe
2688 mssecsvc.exe
2836 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1044	mssecsvc.exe
2688	mssecsvc.exe
2836	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1012 wrote to memory of 4056	1012	rundll32.exe	rundll32.exe
PID 1012 wrote to memory of 4056	1012	rundll32.exe	rundll32.exe
PID 1012 wrote to memory of 4056	1012	rundll32.exe	rundll32.exe
PID 4056 wrote to memory of 1044	4056	rundll32.exe	mssecsvc.exe
PID 4056 wrote to memory of 1044	4056	rundll32.exe	mssecsvc.exe
PID 4056 wrote to memory of 1044	4056	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4056

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1044

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2836

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1276,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
a541211789fa1a8a6cbbf33653546290

SHA1
b6d6ec8b961310e0b39954f82d48271923688e2f

SHA256
5da9e905fcc76986f6b6b7cd124452194b72e482e94fba3af3b3ff0139bf3ead

SHA512
81236e532828dc892849757553571b5c61b599f52ab9eb7e55ca82a5dfab5d325ead0fe9920341366ca08e74e1c146e14dd63e8aa3ceeb7754f10ecb969649c7

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
6c26dcffe18e718d9b44580712a31cfa

SHA1
d6e9c62396f4f6c6e0016c6fd2355db4ea73d0c7

SHA256
74453273a88cc6d31e8a133ad1cea962bf7a65181209fce2443ccb97e13ee4cf

SHA512
1b94b8bb8fc469592deca1bf3dd80ee61bd55a024194e73ad83a60043673abbda240ee394836455e14a1d54e5486a8306ef6ed919dd582f09afc903e4d05a3c6

Download Submit