wannacry | 143950805c312b458ceac2c46019c445e060c4bda14c6d851f9237edbb60583a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

862e9e77d04da0117d7527ee86b6735a_JaffaCakes118.dll
Size

5.0MB
MD5

862e9e77d04da0117d7527ee86b6735a
SHA1

46ed914abda4a189c508c91c997d6d3f45bf3820
SHA256

143950805c312b458ceac2c46019c445e060c4bda14c6d851f9237edbb60583a
SHA512

6991dd219d4018e534640c76aa847e6173798409eebc23a7a35efa0b6e547aff1f8d33aace08095523255df2dc483a7bd0c341e79e51f74a8dc4de5037f360ab
SSDEEP

49152:znAQqMSPbcBVQK+TSqTdX1HkQo6SAARdhnv:TDqPoBZcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3307) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3788	mssecsvc.exe
2612	mssecsvc.exe
2688	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 4224	1336	rundll32.exe	86
PID 1336 wrote to memory of 4224	1336	rundll32.exe	86
PID 1336 wrote to memory of 4224	1336	rundll32.exe	86
PID 4224 wrote to memory of 3788	4224	rundll32.exe	87
PID 4224 wrote to memory of 3788	4224	rundll32.exe	87
PID 4224 wrote to memory of 3788	4224	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\862e9e77d04da0117d7527ee86b6735a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\862e9e77d04da0117d7527ee86b6735a_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3788
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2688

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
16d2d831a8fcc95480c558c518608e39

SHA1
266f62cdb79b6698051c9e8f3118d44eabd15f07

SHA256
a5685f289b5f658952ee1d3e3fd955ced42a44fa84e1f2c76df9925f2ca33d37

SHA512
f2388f94b0f46909d9d1fae8898ad15466c0e100c9ee9e55348cc0a965a16fccc263a53bb8a2d8318dee8d590e9c7ff1d4f53084fb8055daf9c6b9d5b91d832f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
048f00ac095fa94dfafde57a95a2ecc5

SHA1
28c41d5ce0b60458cc6be7a433e187ee36d94d41

SHA256
084285f753f5067a242e9281537c7768da8fb1d868042e8240a2dcdf0608e8fe

SHA512
b6f219e43f0a798327a65fa1141c14508123be88671561c9b6689b881ced725d5a456fe59352dcd9bbf642c772b272b36ce4d9bf13e4b44d66d615e644c24497

Download Submit