wannacry | e21bc9ecc5f805785c565b22af1927ffb5997c26fce7750f401ad523073a3a59

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a139899acde9af3c79c024bee1a800b_JaffaCakes118.dll
Size

5.0MB
MD5

6a139899acde9af3c79c024bee1a800b
SHA1

f9b48a632ad7b0c0ece14921ba71703d1045eb44
SHA256

e21bc9ecc5f805785c565b22af1927ffb5997c26fce7750f401ad523073a3a59
SHA512

94b7f4b4826b3ef28edf1c59a17c98337b539b48cf81c3b5bce8b2a54e190102389189bcd305407116dac836603376c79de8089baf98fa728a0567787e692e2b
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:d8qPe1Cxcxk3ZAEUadzR8yc4

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4348 mssecsvc.exe
4020 mssecsvc.exe
1320 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4348	mssecsvc.exe
4020	mssecsvc.exe
1320	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mssecsvc.exerundll32.exemssecsvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2596 wrote to memory of 4412	2596	rundll32.exe	rundll32.exe
PID 2596 wrote to memory of 4412	2596	rundll32.exe	rundll32.exe
PID 2596 wrote to memory of 4412	2596	rundll32.exe	rundll32.exe
PID 4412 wrote to memory of 4348	4412	rundll32.exe	mssecsvc.exe
PID 4412 wrote to memory of 4348	4412	rundll32.exe	mssecsvc.exe
PID 4412 wrote to memory of 4348	4412	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a139899acde9af3c79c024bee1a800b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a139899acde9af3c79c024bee1a800b_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4348

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1320

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b3be914705f685c8b6c721532089e5a5

SHA1
1543667cae2c1b8619ff5a48a1b5deb9860e7e6c

SHA256
6e4e75cbf80b900584507d1d385c675147ef7333409ac25af596839c048cbc5f

SHA512
49990667cff8ef17e87566969454287917d159605d85ec8588f086f2a69f8b4d2a706df8ba69530d745bdaf4d9d17ca55acec7c4db99ead248d27106c67eb32d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
2935c7dc8f34e60ed96ea5418ad1a827

SHA1
80d36b6160d7da230942505dfb1cfe1138cbcf89

SHA256
93398a32a538dae5b17322cba7b4131c73335be95377ea3aed906d074922d8d7

SHA512
0fb88116fd1c3977cbdd0575e9ee69c72f3afa368d75a65b489a802893390d7ef2e504f6323a592d15552a3f1a685c89904fe3c104056ee271a76393d697c049

Download Submit