wannacry | a735ae0e3018c7098d998c17ad5f01d0ddb72edfa754a9e9ddd1a70c2f095c97

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bea2c7b2a054321b99b855abaa7ede8f_JaffaCakes118.dll
Size

5.0MB
MD5

bea2c7b2a054321b99b855abaa7ede8f
SHA1

55bb7148586969fdd2be6b94ab3846937d88623e
SHA256

a735ae0e3018c7098d998c17ad5f01d0ddb72edfa754a9e9ddd1a70c2f095c97
SHA512

2f0d3c70edef83e4bf0597e107000be68c554be2010e436bd4c0916cd375060b01508434e30844261098b28c517a97636adb71a70d2eaffb052f9011c2dce5c8
SSDEEP

24576:RbLguriIfEcQdIvrYbcMNgef0QeQjG/D8kIqRYoAda6626WgkQg6eX6SASk+Rdhv:RnpEjbcBVQej/1Il6kQo6SAARdhnv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2139) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1416	mssecsvr.exe
3768	mssecsvr.exe
3972	tasksche.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240676843	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3540	2416	rundll32.exe	84
PID 2416 wrote to memory of 3540	2416	rundll32.exe	84
PID 2416 wrote to memory of 3540	2416	rundll32.exe	84
PID 3540 wrote to memory of 1416	3540	rundll32.exe	85
PID 3540 wrote to memory of 1416	3540	rundll32.exe	85
PID 3540 wrote to memory of 1416	3540	rundll32.exe	85
PID 1416 wrote to memory of 3972	1416	mssecsvr.exe	101
PID 1416 wrote to memory of 3972	1416	mssecsvr.exe	101
PID 1416 wrote to memory of 3972	1416	mssecsvr.exe	101

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bea2c7b2a054321b99b855abaa7ede8f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\bea2c7b2a054321b99b855abaa7ede8f_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3972

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
d5807bba032a43cefb7395db67815b92

SHA1
16fd39c70c5bc03ffb413791fe557442efd5d20f

SHA256
50b2154a7a32c24a4e1527c8f5ad13b59714669f76fbb8c4b06ef639ca10386a

SHA512
9c7b90604392dac65562a91b8c3b852bbdce8bf1f6a08e06d873e76460fad2ace665f32d58b2598a13356bda53a1f2b65845107e0e24c28807075d074d743a2c

Download Submit
C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
360eacd6ecc8bcf9d8be365359a4015a

SHA1
543e07d13c23ffc47473cc44662b4f68f7c89422

SHA256
333a8fce65282a63680b96b5421265c8e04497b1944612cb8d2e7418aca71aac

SHA512
6c25aae097f1d0e42b7cf665f95985f4d519b35341fbebd1d57d8d13c027078351677e1a74b3f764363a2efffa33d72e5d5197892b9e5f0a40a346d2ba0ea977

Download Submit