wannacry | 4e32b959505ccc984575f6ce25c60ca6ba1647bb2c09154e1664e436fd605dd7

Resubmissions

18-06-2024 12:17

240618-pgdnlsshnc 3

18-06-2024 12:12

240618-pc65cssgld 10

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbddaa9aa14729433778243150648fb2_JaffaCakes118.dll
Size

5.0MB
MD5

bbddaa9aa14729433778243150648fb2
SHA1

34246e6b17a4d0d63c8f17ae694a4efffd5ac8bb
SHA256

4e32b959505ccc984575f6ce25c60ca6ba1647bb2c09154e1664e436fd605dd7
SHA512

17f77832385703a3a1af9195a3e0b6b8fce89deaa83834fe2db2345336a497e492049082850b55e0abf11a31328eaba2d065faa07876f94cfb1b60442bd952d2
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAQa9P593R8yAVp2H:TDqPe1Cxcxk3ZAQadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3023) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

5004 mssecsvc.exe
516 mssecsvc.exe
1188 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
5004	mssecsvc.exe
516	mssecsvc.exe
1188	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3640 wrote to memory of 2916	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 2916	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 2916	3640	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 5004	2916	rundll32.exe	mssecsvc.exe
PID 2916 wrote to memory of 5004	2916	rundll32.exe	mssecsvc.exe
PID 2916 wrote to memory of 5004	2916	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbddaa9aa14729433778243150648fb2_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbddaa9aa14729433778243150648fb2_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2916

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5004

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1188

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f89e4e01601791d745fc8414205de24f

SHA1
bf08810c635a47242360eaab84d9d63afe9ceda7

SHA256
87d53426285a791b7dbde916abb217d1eb076d43af130ba869e2b940cf7e03f0

SHA512
e31a8d7bcd3ff3c1cbe7f6a3a60fd1ea7ec23fd305b42ea5e97c59295ede80de3f86b6a88533cc9fa758a9957c4e7892f873cf70482b20641adc9e0c5878b388

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
150a215fe2ceb2cd159be6c0e46fc68d

SHA1
a60fc1994075f4f2a0b35d14375ac7fb3ab0928c

SHA256
2515cd20dd93a2e4d074146a9f3e85ec6e1b412f72a4ff06de42ba73a4c8d7cc

SHA512
29839197a61971a004003f5ca2304775247c103b4c7b91ba0726d18226a85a1f3a918dfda47de2260676465d1ceb9854d74ce1f8ce3c592abab17cbbb015b656

Download Submit