wannacry | 46ef5b91a413baaff405121ca9896d152a21e0065f2243117145dbf0bda0a17a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 13:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0e29ec4d0c333bdda4c63e8bbeef39b_JaffaCakes118.dll
Size

5.0MB
MD5

c0e29ec4d0c333bdda4c63e8bbeef39b
SHA1

b548f7009083210a8a9f24608310d9121fe87009
SHA256

46ef5b91a413baaff405121ca9896d152a21e0065f2243117145dbf0bda0a17a
SHA512

c138fa2a6b65cdf3b2d831293d9377881b38e557d2a8fe6c1ed936e7b3af83ba6bf865d5ccf7fcf28feda22c31445dcc58c440b6f6395f497e458746c8a24d67
SSDEEP

24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRY:znAQqMSPbcBVQej/1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3261) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2924	mssecsvc.exe
3672	mssecsvc.exe
4196	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1844	660	rundll32.exe	84
PID 660 wrote to memory of 1844	660	rundll32.exe	84
PID 660 wrote to memory of 1844	660	rundll32.exe	84
PID 1844 wrote to memory of 2924	1844	rundll32.exe	85
PID 1844 wrote to memory of 2924	1844	rundll32.exe	85
PID 1844 wrote to memory of 2924	1844	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0e29ec4d0c333bdda4c63e8bbeef39b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0e29ec4d0c333bdda4c63e8bbeef39b_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2924
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4196

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
238805826b581996d4ceb6eee8190e21

SHA1
f0924cbfd54745be6263e672d7649fb1a9959717

SHA256
eb8792c5e7cf7641e7aace4190d47159732877a51e72e238eca59198aedab4db

SHA512
dad4afa79081e143917df1e548fa0436b36d02e1be23bbe608bd149a351885679620cf5f4bdc8f829e73eb69e0f7e113523cfbdb79448a86910623b8e3c237d2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
38c31cb5ce9b3b2d745f6027b8300314

SHA1
b6862ae7d17beb5ea964ec89175e9eabf5bb3cea

SHA256
b90a9cab850273e39cf41c7472f96294aaf140671769d961255e47633e2653b5

SHA512
fe7c20caf2a3e7df723790417160c556a39fb4848e60bd6fe1ac63f3d7e999c372c89a115eb20832a04ba60ba7f6cb2a0a7637e29a8d5f01c07820429ddff903

Download Submit