wannacry | 3825e10dab931b98dba12143a8a32ad97d372365c0e3ebfb25f2bccc99260752

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1c5d43ff410806d565e674b124cd185_JaffaCakes118.dll
Size

5.0MB
MD5

c1c5d43ff410806d565e674b124cd185
SHA1

02c43b7af23015120dd5142ddb357c723a9de610
SHA256

3825e10dab931b98dba12143a8a32ad97d372365c0e3ebfb25f2bccc99260752
SHA512

0d15b825dda1a23b28dc0e8d083dbcec3c881565b44e7c9b5700e651801966fd38bde6360e2017c60fbc8a7f7e5f09ea3ad440d392b626e9c3d08958d54da256
SSDEEP

98304:TDqPo5hz1aRxcSUDk36SA5dhvxWa9P593R8yAVp2H:TDqPK1Cxcxk3ZA5UadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3080) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4996	mssecsvc.exe
3952	mssecsvc.exe
1552	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 2716	556	rundll32.exe	84
PID 556 wrote to memory of 2716	556	rundll32.exe	84
PID 556 wrote to memory of 2716	556	rundll32.exe	84
PID 2716 wrote to memory of 4996	2716	rundll32.exe	85
PID 2716 wrote to memory of 4996	2716	rundll32.exe	85
PID 2716 wrote to memory of 4996	2716	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1c5d43ff410806d565e674b124cd185_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1c5d43ff410806d565e674b124cd185_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4996
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1552

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
600059a4a1cfabbdd7240fff9b183b24

SHA1
0fb75a0c4915731123d01776e58d6d8ce9cd9cea

SHA256
4db79e0b97a6003fbb22d274fcd80a75624ac3eee73347d7633bc08224b8ca2e

SHA512
094e342f31cefd8a1a00b54011daa1ad431dd5e9a3dec609ae48acc0d5ffdd50320aa1de223bb32657144552f415c7324161042679857e0e20c8bc594d7bb9b8

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
cfdd0c51c79178c57caa29007e5b88ce

SHA1
e46e1e5d856c6595baff21dc1d5caafde99b4539

SHA256
0324464212289861f1601b70c2e7152017a86d45ac64242015d60792b5f8e31d

SHA512
005edd387a2575103927acdc78fcc8a869807f408be79ddd264a4cf01c8886ab7087cad7086351f3c04d16c2695c1324be5b9f62769bc44908de111d08379762

Download Submit