wannacry | c196f82b9099ff065da7ea59000af48239cbb46fcde173fb5fe3778055aa4fb1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f108bcc01879026ae1dffe45e176c25_JaffaCakes118.dll
Size

5.0MB
MD5

9f108bcc01879026ae1dffe45e176c25
SHA1

5ceace2efc67beb605291341e6e9e2909007ee49
SHA256

c196f82b9099ff065da7ea59000af48239cbb46fcde173fb5fe3778055aa4fb1
SHA512

e9a28bca9bd6af2a6a91d1e9e9844baf13ed2a6c67600b5edf906ebdcdad2f9404f420f540901191ba7bc46308710b5b61769bc62c5a27ed8d4f47c6f9eda304
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAx3R8:TDqPoBhz1aRxcSUDk36SAC3R8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4588 mssecsvc.exe
2848 mssecsvc.exe
4516 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4588	mssecsvc.exe
2848	mssecsvc.exe
4516	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exemssecsvc.exemssecsvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3596 wrote to memory of 2664	3596	rundll32.exe	rundll32.exe
PID 3596 wrote to memory of 2664	3596	rundll32.exe	rundll32.exe
PID 3596 wrote to memory of 2664	3596	rundll32.exe	rundll32.exe
PID 2664 wrote to memory of 4588	2664	rundll32.exe	mssecsvc.exe
PID 2664 wrote to memory of 4588	2664	rundll32.exe	mssecsvc.exe
PID 2664 wrote to memory of 4588	2664	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f108bcc01879026ae1dffe45e176c25_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f108bcc01879026ae1dffe45e176c25_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4588

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4516

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
1d0eb66733df9fb587d79f7cce342216

SHA1
d955467f0b6b902e085206a545ed5b9f9a0b92ff

SHA256
9badbd85e7f6e70f21b1f3851952f00b8fa4b99de679c0087f56efa30244bcfe

SHA512
0571d657171eabc97ec027ca2daeb9966302833a9189d0e51ad7c212b90d764353ce7d1fc114828b1cbe15b1fe5f7d47d267551b6a37bb445d101fb0d2e0c4c2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
951cf84627111beb5614e239b7048ab0

SHA1
5bda6308a096a19f522501588a56b5d536ba6bed

SHA256
28928852d3fe9190c177082000afec221bc857ad897b662802ac0e3da053b2f7

SHA512
0e43f32c43a11f1ed3d6b7202471566c84de311beb37a911509e3e98174139bab4e2a930c1580b352a1e909af49ab001cfa8517963f85a26314b5b4d25513d1e

Download Submit