wannacry | e777da116238cc5635bdea8cf7a63552330e6228a4ac70c7533dec0f788626f4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99e6f96aefa286c73d4e8e6c2d83dda_JaffaCakes118.dll
Size

5.0MB
MD5

b99e6f96aefa286c73d4e8e6c2d83dda
SHA1

e7caad0805a6f45f851e8b2663a0888ccc2981e3
SHA256

e777da116238cc5635bdea8cf7a63552330e6228a4ac70c7533dec0f788626f4
SHA512

ef3a939c9fb05a9427f1252ef52b0bc87d19493bb0826e33f9b45ef8993c16b6fd207afc20116bc3ebb047f1decc485f77804400a758554e9842268c761856f2
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g:TDqPe1Cxcxk3ZAEUadzR8yc4

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3238) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3364	mssecsvc.exe
1376	mssecsvc.exe
2532	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1056	5096	rundll32.exe	85
PID 5096 wrote to memory of 1056	5096	rundll32.exe	85
PID 5096 wrote to memory of 1056	5096	rundll32.exe	85
PID 1056 wrote to memory of 3364	1056	rundll32.exe	86
PID 1056 wrote to memory of 3364	1056	rundll32.exe	86
PID 1056 wrote to memory of 3364	1056	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b99e6f96aefa286c73d4e8e6c2d83dda_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b99e6f96aefa286c73d4e8e6c2d83dda_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3364
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2532

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
82064e8fb04b36ecc52272b124ce36b8

SHA1
d857e862604573fca6b85f2a59a02685ffe2d015

SHA256
f163ac40ec7b4a19c754798bab2f3b95a04bc1c76d249d72665d4cee27aaf2c0

SHA512
980176bbce6b2d4d02c015a84d6bbf44b8f213b77c9188146ff7a56981ede0c9117ce1698d221224115bda681aedc2780d18f37ea08e4a4df9f4a8ea54c2798d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
1d7741a3dd895a20c79ec94876a8eaf7

SHA1
0b680ea7434f0b85b34a76412463a9c61e35e583

SHA256
c6cfd76bd52d6878698be2ef94483bd263a40bc2e155b0aac44453cac03b9e3b

SHA512
5981626646605a59966acf75dbb2ec82458a43afd1b5d86ae465e02f72d53fc3f5c8837e08232380a113b0a05e9f97565211d36d039b28fdd2bd5c43dc5c52a3

Download Submit