wannacry | d3da6ee3efab95de2a8f083ffc999c54408e9afdddd8d319765ecf853d41d91a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baf619c98be41c1671525ea9a38f7b99_JaffaCakes118.dll
Size

5.0MB
MD5

baf619c98be41c1671525ea9a38f7b99
SHA1

4c953ea1cfd85ca9b90ef38a8dd23c1b12384875
SHA256

d3da6ee3efab95de2a8f083ffc999c54408e9afdddd8d319765ecf853d41d91a
SHA512

023baee979a8961295935096f1dcbbb4bbb8e662abca7af318d7809168cec5d674e42428b22f6172eb9064600b9a2fac0e5a1241fc06964af49a4a5e7dabaea2
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:+DqPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3362) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2020 mssecsvc.exe
1140 mssecsvc.exe
4808 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

pid	process
2020	mssecsvc.exe
1140	mssecsvc.exe
4808	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1784 wrote to memory of 4400	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 4400	1784	rundll32.exe	rundll32.exe
PID 1784 wrote to memory of 4400	1784	rundll32.exe	rundll32.exe
PID 4400 wrote to memory of 2020	4400	rundll32.exe	mssecsvc.exe
PID 4400 wrote to memory of 2020	4400	rundll32.exe	mssecsvc.exe
PID 4400 wrote to memory of 2020	4400	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\baf619c98be41c1671525ea9a38f7b99_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\baf619c98be41c1671525ea9a38f7b99_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4400

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2020

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4808

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
e9d22936809ac0ac31e78d319cdf4121

SHA1
a0c8d6175d5e59ff0f6e6d5f532e2097dc8a2f76

SHA256
b609c5223ede3062d1eae324a539fb60c4413e3838d7b0fd851565cd72805cf9

SHA512
dc6b122d33306ad27e31f3737f54e225953c7ec841967496d223c757589b844ded0600f31a31b0cefcdb4c24905e24060f0233b1be070e31589d4c33e28e37d2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b915ee558ee808d9f40a9222ff3a8e6b

SHA1
5ee2237895bd246fb2cebf706d9f98cc99cb17f2

SHA256
cce4ec920f6c06f7a928070937a8121729a0f826554f59756afbc2bb4dbafcd4

SHA512
ded8b1b9abd681f5231cc7401cb5efad40f999d0bb1f4c4cc2f7363d0dabd1e954e2f577b52df74a1cb44c99d7fe037031d7f8db196856135a743664bd3c7b15

Download Submit