wannacry | 35c02c4e411114e6f7abadad47b55d510b487e160a7c9ff477d6c10b48d7d5d4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b918c4f4ec5726ee9537c7a850d59b03_JaffaCakes118.dll
Size

5.0MB
MD5

b918c4f4ec5726ee9537c7a850d59b03
SHA1

b1decbe1bd8753355d467f64b7c781e489869a32
SHA256

35c02c4e411114e6f7abadad47b55d510b487e160a7c9ff477d6c10b48d7d5d4
SHA512

16cd328a5914919b263f142d84cca399a3fa5a21b332add63d0c2ee1f1be76a81f5412c6a7c9773f398c8ff927aba6e9d7c4ad15ad95e4c919dd48d0f6f1b154
SSDEEP

24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626uMEcpcL7nEaut/86:znAQqMSPbcBVQej/1INRbMEcaEau3

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3159) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3808 mssecsvc.exe
880 mssecsvc.exe
1728 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3808	mssecsvc.exe
880	mssecsvc.exe
1728	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3552 wrote to memory of 1296	3552	rundll32.exe	rundll32.exe
PID 3552 wrote to memory of 1296	3552	rundll32.exe	rundll32.exe
PID 3552 wrote to memory of 1296	3552	rundll32.exe	rundll32.exe
PID 1296 wrote to memory of 3808	1296	rundll32.exe	mssecsvc.exe
PID 1296 wrote to memory of 3808	1296	rundll32.exe	mssecsvc.exe
PID 1296 wrote to memory of 3808	1296	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b918c4f4ec5726ee9537c7a850d59b03_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b918c4f4ec5726ee9537c7a850d59b03_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1296

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3808

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1728

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3740,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:8
1⤵
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
305927fea0d349fb8cbf5bd131b087c2

SHA1
a884494044f95865e299ff4c9ca2aa07278c77d9

SHA256
bac51b555011092f31ad72722b3c8278351f40a75a2af7360606d46c77ce577d

SHA512
a5b3e541e9cdf7ca1c31e7d265ba6625f19ec089652c84d07010dc12f0c0a0f27ca731c9d612e341a4f51ced08c204df4a9f969f896a098f2f69588077a5277f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
edb9a90c9551b49e6d6cce96690f8eac

SHA1
f4748ea92777fde25450dd5376eecf18a0e7094f

SHA256
4afc10888a6d5bc298949bd54a8f365c40c2e3ad6ff0101e5d76ce807aecd84c

SHA512
1fb2dcbebbc2ac00fcb0ca4a4769e90ee48899e385f2bd5080bde894676e2aecab2ce439a02115a395304b73703bcb4d6cacc633a6970ac0ae2fd73c45411997

Download Submit