wannacry | c642274c1109c6de3954e68f57b897a55c262702ee6f48b5e9770ac3a1757453

Resubmissions

11-08-2024 00:37

240811-ay1r5swfmn 10

10-08-2024 14:58

240810-scexnaycrb 10

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11-08-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll
Size

5.0MB
MD5

8683a6c8fdc3acde4f13c531ef0ec2a1
SHA1

aef8e6adf601ac20d1af3fcf50c20a75fffbfd31
SHA256

c642274c1109c6de3954e68f57b897a55c262702ee6f48b5e9770ac3a1757453
SHA512

9d0d6f1017a3068963601f5b7adf3db5cd543274dd09d5492c93628f0b6a4c6a419b85c1e9e3cf12ef69d70351e53b4f15381aaaaba1f15e71e71f38aa509708
SSDEEP

98304:a/qPo1hz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:a/qPy1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2085) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
616	mssecsvr.exe
4696	mssecsvr.exe
4688	tasksche.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1320	4688	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
864	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3904	1964	rundll32.exe	81
PID 1964 wrote to memory of 3904	1964	rundll32.exe	81
PID 1964 wrote to memory of 3904	1964	rundll32.exe	81
PID 3904 wrote to memory of 616	3904	rundll32.exe	83
PID 3904 wrote to memory of 616	3904	rundll32.exe	83
PID 3904 wrote to memory of 616	3904	rundll32.exe	83
PID 616 wrote to memory of 4688	616	mssecsvr.exe	88
PID 616 wrote to memory of 4688	616	mssecsvr.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 8
        5⤵
        Program crash
        
        PID:1320

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:864

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4688 -ip 4688
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
4d52399020a24c1f6b4254cc7252504b

SHA1
2afe0c8994c64898d5fe16ca68811438ef19b0ee

SHA256
e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7

SHA512
a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4

Download Submit
C:\Windows\mssecsvr.exe

Filesize
3.6MB

MD5
25a0ad26bc7a5997378dba06e9152a48

SHA1
992a271a0eec0388fdd524aa049e7e4e30401720

SHA256
2794a705c163218f71fbf59773f5447a05b776100ce4d08318bd055c9bfe09ef

SHA512
9b2eeb7c72c98fa4e7089419528a3041f6df3e13d435d378cd0aafce1500d452ac28e9f6363f0d93893da8b7839c9f9ac8541e6891a8e785f5333521813336eb

Download Submit
C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
5f80c54de7e00489bf51d0ff66158f10

SHA1
ebf83fd4127d539b48b27cbc5528ac0480181c1d

SHA256
14a14fb7bde9794b67b3e62837f6e6cdc0cb801657dd46726cc0a4bb15727d19

SHA512
dcb132fa4bd04f6bb0fc3068874eb976afd96d48d598bfbafc9b2922b8f5e994cc667ec24ad95070f9962eb59596bc2b632c3442465c2b06f1c04e8476305d85

Download Submit