wannacry | ba40208a38500e7c001fede2b264ae758e115750c80384f67ed4163edc5d2644

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e8e8eb9b0c25208b5c83be09430c010_JaffaCakes118.dll
Size

5.0MB
MD5

1e8e8eb9b0c25208b5c83be09430c010
SHA1

be0ed07c7ec11f091b5a351bde73f78458d8c8e3
SHA256

ba40208a38500e7c001fede2b264ae758e115750c80384f67ed4163edc5d2644
SHA512

51ea750fa7e9a0b3ef8e9088e70ade172a80a860a471a1cbce004628ab6866fbe882d7f1091da9c169473751defb826045bfc5aef227d9d8c85a14d0c217a8dc
SSDEEP

98304:dDqPoBCRxcSUDk36SAEdhvxWa9P593R8yAVp2H:dDqPNxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3063) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2788 mssecsvc.exe
4644 mssecsvc.exe
5024 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2788	mssecsvc.exe
4644	mssecsvc.exe
5024	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1900 wrote to memory of 3192	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 3192	1900	rundll32.exe	rundll32.exe
PID 1900 wrote to memory of 3192	1900	rundll32.exe	rundll32.exe
PID 3192 wrote to memory of 2788	3192	rundll32.exe	mssecsvc.exe
PID 3192 wrote to memory of 2788	3192	rundll32.exe	mssecsvc.exe
PID 3192 wrote to memory of 2788	3192	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e8e8eb9b0c25208b5c83be09430c010_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e8e8eb9b0c25208b5c83be09430c010_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3192

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:5024

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b56e522fb80d4ef60f35b545778aa684

SHA1
eab7d1905507eac1fd98368aa3dca1f3e3965772

SHA256
336fa3a05d1323def585f932ba6ac418df72e1b63af35ecc941a495d7351d992

SHA512
00b4b58bc70cfbaf70b51b817967485efa3b956bc869e5f408d0ddd37c8291caa558b8052ef79bacccf713d3641dca603b9a77017a07e24952b2d17ad1b70def

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
31153363ae2babe5a02023a85fdcd206

SHA1
7f2a1b8f08322698fce320caa449515090afc4cb

SHA256
5bf7e8e373424701db22720f04e098f435e7748f747b583d2524da386f892f58

SHA512
84f1b6d2f8aff4fdda8ea483f5338e3d72ec11a9cdbe520215dea1cccbe341cc183ab51954931a01eb1b5be627b8b90837db42ac1020e629ed00b2d1c410710e

Download Submit