wannacry | 67787992efdeba0523cd2d4d2a61903473e74430ee8e82b25d55fe1ed7001440

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b5a9da099c8dd5b63a63c01c0256210_JaffaCakes118.dll
Size

5.0MB
MD5

6b5a9da099c8dd5b63a63c01c0256210
SHA1

6cf798c80bff0d7131b26a3d3c6b8a69fdf6d5b1
SHA256

67787992efdeba0523cd2d4d2a61903473e74430ee8e82b25d55fe1ed7001440
SHA512

778d8b974a966e1399ab428407426a9db31a45f8bee954f1d530d4e4b8936623475e3d1e57a6bab5ef5ecf55613147964969d5533a67d1a2a1d0becc968ed6de
SSDEEP

98304:gzqPoBhUk36SAEdhvxWa9P593R8yAVp2H:gzqP3k3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4932 mssecsvc.exe
3688 mssecsvc.exe
264 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4932	mssecsvc.exe
3688	mssecsvc.exe
264	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mssecsvc.exerundll32.exemssecsvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2036 wrote to memory of 5020	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 5020	2036	rundll32.exe	rundll32.exe
PID 2036 wrote to memory of 5020	2036	rundll32.exe	rundll32.exe
PID 5020 wrote to memory of 4932	5020	rundll32.exe	mssecsvc.exe
PID 5020 wrote to memory of 4932	5020	rundll32.exe	mssecsvc.exe
PID 5020 wrote to memory of 4932	5020	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b5a9da099c8dd5b63a63c01c0256210_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b5a9da099c8dd5b63a63c01c0256210_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5020

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4932

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:264

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
eee8dcd12e35775eacc7caf6f9c2b4c7

SHA1
b5992bfe525d48a0961c41e95805e54eb65145ce

SHA256
0fd0d5ebe1e299daafa691813be11f40fd96b8854e5202a19915e368d38b12c1

SHA512
182667c5ec86de18ec7734cfc09a168e3ec507378274f35f75b9d383c18f652262174b57a4d96c8d33c0ed55f2534ddebd9d688cffd978de623195a4b62992e8

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
1b48bb988a50928320efb614414eb5af

SHA1
a7edff99f3e444ef80622552c017a76a928393c1

SHA256
e014a1d3362c38258759c5b3cfb7bfad82c12b489c85c98ac1165ceca83ffe90

SHA512
aeb5c5b734523c6d70838c58de8f65c15049f9feda462ec24df939b9b42fd6b125a95f1e83e2d5770831a213c76cc09658bd4586f57ad972e1426a3ef8c5fd71

Download Submit