wannacry | c642274c1109c6de3954e68f57b897a55c262702ee6f48b5e9770ac3a1757453

Resubmissions

11-08-2024 00:37

240811-ay1r5swfmn 10

10-08-2024 14:58

240810-scexnaycrb 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll
Size

5.0MB
MD5

8683a6c8fdc3acde4f13c531ef0ec2a1
SHA1

aef8e6adf601ac20d1af3fcf50c20a75fffbfd31
SHA256

c642274c1109c6de3954e68f57b897a55c262702ee6f48b5e9770ac3a1757453
SHA512

9d0d6f1017a3068963601f5b7adf3db5cd543274dd09d5492c93628f0b6a4c6a419b85c1e9e3cf12ef69d70351e53b4f15381aaaaba1f15e71e71f38aa509708
SSDEEP

98304:a/qPo1hz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:a/qPy1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3295) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

4604 mssecsvr.exe
2204 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
4604	mssecsvr.exe
2204	mssecsvr.exe

Drops file in System32 directory 4 IoCs

Processes:

mssecsvr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvr.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvr.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvr.exe
File created C:\WINDOWS\mssecsvr.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exemssecsvr.exemssecsvr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4440 wrote to memory of 952	4440	rundll32.exe	rundll32.exe
PID 4440 wrote to memory of 952	4440	rundll32.exe	rundll32.exe
PID 4440 wrote to memory of 952	4440	rundll32.exe	rundll32.exe
PID 952 wrote to memory of 4604	952	rundll32.exe	mssecsvr.exe
PID 952 wrote to memory of 4604	952	rundll32.exe	mssecsvr.exe
PID 952 wrote to memory of 4604	952	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:952

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4604

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
3.6MB

MD5
25a0ad26bc7a5997378dba06e9152a48

SHA1
992a271a0eec0388fdd524aa049e7e4e30401720

SHA256
2794a705c163218f71fbf59773f5447a05b776100ce4d08318bd055c9bfe09ef

SHA512
9b2eeb7c72c98fa4e7089419528a3041f6df3e13d435d378cd0aafce1500d452ac28e9f6363f0d93893da8b7839c9f9ac8541e6891a8e785f5333521813336eb

Download Submit