wannacry | cafb7841867fc7b1dd7bcb1c1da6f81f63750dd16831423ac54e2fcc9d22874a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 13:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0d149a7828c3ad6046da2d897bcff0c_JaffaCakes118.dll
Size

5.0MB
MD5

c0d149a7828c3ad6046da2d897bcff0c
SHA1

82d8d681d93dee030b6796d4889bb74644ba06f6
SHA256

cafb7841867fc7b1dd7bcb1c1da6f81f63750dd16831423ac54e2fcc9d22874a
SHA512

9aa8fc98cd9ca22e8479a19790249df9a9f032884baa92bbacfb99e7f9f18c6718763dbefeb3c348ee9ba50bfe1cf8ee78952eab830353be65ec682bafa15abe
SSDEEP

98304:+DqPoO1aRxcSUDk36SAEdhvxWa9P593R:+DqPj1Cxcxk3ZAEUadzR

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3279) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2700	mssecsvc.exe
1836	mssecsvc.exe
3444	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 4876	3892	rundll32.exe	84
PID 3892 wrote to memory of 4876	3892	rundll32.exe	84
PID 3892 wrote to memory of 4876	3892	rundll32.exe	84
PID 4876 wrote to memory of 2700	4876	rundll32.exe	85
PID 4876 wrote to memory of 2700	4876	rundll32.exe	85
PID 4876 wrote to memory of 2700	4876	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0d149a7828c3ad6046da2d897bcff0c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0d149a7828c3ad6046da2d897bcff0c_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2700
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3444

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
2cb069c56956bb9b6e62d393758d61a7

SHA1
220f4451f7ec2de03b482ddcf28c6ecda3e5366f

SHA256
0791f5ae5cbeec298082736457292521b23874ae0e77506c4ea12e65e3d2e52f

SHA512
13f47349f24593b4a0eb3094e816cf5c4bc826dc9a08c0ec9f5a4a55a17412b59fc6cfb2dcadbe1222c35e6d991e05605bf7db98b53557a2c128e831171babf3

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
d59d6d48c3d6e9292c296e557a186391

SHA1
7f0916d7befcf929521087cde11b6d94d7331154

SHA256
905ad8e2fc1f98ab1e934de1d01d85973291ccadd41c85ba1a7dcc3b2af6ed96

SHA512
7b2fc97070ac47e6596cfe0da96b1b1369feeb4ab62af136f172ee306187cee3e04b68b8f786d7b4b4dee49054d53a33cd8048abdc8cba9853b3e119a08ac23e

Download Submit