wannacry | dddea6d33dd76976ad6880135123f732a9d13a32bfd09264385d07110e27daa3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0a31fb2c42576ef6a620b89df30d322_JaffaCakes118.dll
Size

5.0MB
MD5

c0a31fb2c42576ef6a620b89df30d322
SHA1

0b00c1eda389240c538c52bfef047646fbe0afd8
SHA256

dddea6d33dd76976ad6880135123f732a9d13a32bfd09264385d07110e27daa3
SHA512

dbc9efa533fb958b61689819944b19c5c419d478a6cacd41624c39da386e2da0041e562b8c398512a53021f9dd5f9a6e8d233ddbc7aa0107be68461128045637
SSDEEP

98304:+DqPoBhz1aRxcSURdhvxWa9P593R8yAVp2H:+DqPe1CxcDUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3318) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3352	mssecsvc.exe
628	mssecsvc.exe
640	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2612	4956	rundll32.exe	85
PID 4956 wrote to memory of 2612	4956	rundll32.exe	85
PID 4956 wrote to memory of 2612	4956	rundll32.exe	85
PID 2612 wrote to memory of 3352	2612	rundll32.exe	86
PID 2612 wrote to memory of 3352	2612	rundll32.exe	86
PID 2612 wrote to memory of 3352	2612	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0a31fb2c42576ef6a620b89df30d322_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0a31fb2c42576ef6a620b89df30d322_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3352
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:640

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
da596b0c0d19b2467f79377f9d207c05

SHA1
d4ae44f978fd60817041f990de06fa937549622f

SHA256
933a60e584859ba6def26e4d4e7bcd1b55fdd9f8718e762400d92643a18607cc

SHA512
a2f41d2ca86c9f1438b807cf0e078dc53fb5f8cc062e9a7591840705b717f3d4fa3ad3d2547a66649f9312e6acba554be722da37ba04d35ff78cc90b6d09095a

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
9b8f9953f19eba31efd6112a5299b2cf

SHA1
7d6ffc11df875518f6826f22be56883b227af050

SHA256
6047e56ce0dfdd81449eb2e14e8d85f6e856451fe10a8ff8d909f6c5ccbdbbac

SHA512
2bbe71584004922def0ec45eef6430cb76c793669968a5f801d6cedad3431636b0cc33767e01dd0f05174a61ef2c281987043a039a5d0ed2f6c6adca56f97b57

Download Submit