wannacry | 415f222902a8681030f8718769f47d9877799ade0269b3229a0a322cb6c33f13

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9bef10e5b2b11a40f9b330256fcb38e_JaffaCakes118.dll
Size

5.0MB
MD5

b9bef10e5b2b11a40f9b330256fcb38e
SHA1

7b9882c6f78bc6c7fa601a4651a06be3c04446d1
SHA256

415f222902a8681030f8718769f47d9877799ade0269b3229a0a322cb6c33f13
SHA512

dc6f9852429e10ced07f6a28a649dd6303ec8d8f57847742f3f556258b480fbd0a28fe9e700de889956fcf162b6645cbd30104de369801dfeb8410332e75b36d
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R:TDqPe1Cxcxk3ZAEUadzR

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3355) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
5036	mssecsvc.exe
1640	mssecsvc.exe
2192	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 3700	1184	rundll32.exe	84
PID 1184 wrote to memory of 3700	1184	rundll32.exe	84
PID 1184 wrote to memory of 3700	1184	rundll32.exe	84
PID 3700 wrote to memory of 5036	3700	rundll32.exe	85
PID 3700 wrote to memory of 5036	3700	rundll32.exe	85
PID 3700 wrote to memory of 5036	3700	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9bef10e5b2b11a40f9b330256fcb38e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9bef10e5b2b11a40f9b330256fcb38e_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5036
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2192

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
3db777438fc4a06be2132a85c8c3166c

SHA1
56383bf527782cca209d3783fc526071167e1c4a

SHA256
fa4bd603872a5984611d84538b63096905207e8e0444f80eb8ddc71684385916

SHA512
0283a483b36238db22fa1eafe8225b9701e3e9795064d0436c2ac8cd827520d4c10e31b4074c88e89b9c44dbdd4e91aed8838d2df26ec1aeee00170fed7911a0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
9bb7dcd3154cacee803363e03f25961d

SHA1
0cb722ee7592f8bfbaefb12bc7a57f0c3c311070

SHA256
50307def29387503c1f686278abb74bc3960999fe13654049a5befbcfd2bc166

SHA512
f00060caaa3fdcdc9f4dc02a11ae0a1d0871d4e5e72fde790e408eebdae45c92f48f63ec54bbe7d75e0f902f474440043b2dfed0f07ed722f790e6f7110be282

Download Submit