wannacry | 5353112eff461c51afc13af66b45c2e1c51c887357c8aaa377e711c98d25f82c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bde52e2773d0acb422a7a42ef6824bc5_JaffaCakes118.dll
Size

5.0MB
MD5

bde52e2773d0acb422a7a42ef6824bc5
SHA1

d3ec8332484ffca41295dbd7c6347b7b23a67b4e
SHA256

5353112eff461c51afc13af66b45c2e1c51c887357c8aaa377e711c98d25f82c
SHA512

1601952cfa5975d6ff40b8bbacd7f794214d5eb2f16ab3225c408142be8ff66d8a405311de461156bc7828238c405f1116b9f2e556354308ed45fc9b49429769
SSDEEP

49152:RnuQIEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1ZIyfBhz1aRxcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1963) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1248	mssecsvr.exe
4280	mssecsvr.exe
2720	tasksche.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4288	2720	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 3248	1788	rundll32.exe	84
PID 1788 wrote to memory of 3248	1788	rundll32.exe	84
PID 1788 wrote to memory of 3248	1788	rundll32.exe	84
PID 3248 wrote to memory of 1248	3248	rundll32.exe	85
PID 3248 wrote to memory of 1248	3248	rundll32.exe	85
PID 3248 wrote to memory of 1248	3248	rundll32.exe	85
PID 1248 wrote to memory of 2720	1248	mssecsvr.exe	100
PID 1248 wrote to memory of 2720	1248	mssecsvr.exe	100
PID 1248 wrote to memory of 2720	1248	mssecsvr.exe	100

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bde52e2773d0acb422a7a42ef6824bc5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bde52e2773d0acb422a7a42ef6824bc5_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2720
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 596
        5⤵
        Program crash
        
        PID:4288

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2720 -ip 2720
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
6d5d32d747fdc6a5521fa3a6d07b328a

SHA1
a6aab7d94637044ce562e67ea45e9ad0e9d86545

SHA256
5ba58aaa4953dd66856d718d401b68c9ddd399143f85b6d28ac98960aa1d127d

SHA512
c91f3330cef16f45415cd839f0b02131588081eb81db190d7297682d7f4258d1fa96558cd4972ba74051499aedce1c93b188a428076c85a60f508be7ddc4b722

Download Submit
C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
3ae241cb9b4ceffbdae2f3c40d023f6a

SHA1
f3051e6981ea651e9af3c4fd8e838a743bb31237

SHA256
4da1d893eae81bf30e25bdc6498a614cbebe4d42ac150d9d0e257d8893e19ab7

SHA512
458440bbd129e4a66d09100da998de70313c50297cb26a45204f3e8d4c4367405a67928e41bf346b8a6b238020ff49aab8f9826dc020bbd35cb32674cf409053

Download Submit