wannacry | 5e9f0f624efcd671113f8db49ae22e3375c90263e4720243c453970fa98b778e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2c766e66dced7a69e19bb965bf0481b_JaffaCakes118.dll
Size

5.0MB
MD5

c2c766e66dced7a69e19bb965bf0481b
SHA1

45eb459dc67f151009c6c9391711053601405eb4
SHA256

5e9f0f624efcd671113f8db49ae22e3375c90263e4720243c453970fa98b778e
SHA512

889108cf0394224ccbbc710c6e8110dcc397648869a1e92c1ee1c75437b9caa15fed4bac4c364c5f0ebdd292a3f189f46536a42660ff309146a7a10680d7cfa3
SSDEEP

98304:+DqPoBhz1aRd36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cd3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3342) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2088	mssecsvc.exe
2264	mssecsvc.exe
2944	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1220	2200	rundll32.exe	91
PID 2200 wrote to memory of 1220	2200	rundll32.exe	91
PID 2200 wrote to memory of 1220	2200	rundll32.exe	91
PID 1220 wrote to memory of 2088	1220	rundll32.exe	93
PID 1220 wrote to memory of 2088	1220	rundll32.exe	93
PID 1220 wrote to memory of 2088	1220	rundll32.exe	93

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2c766e66dced7a69e19bb965bf0481b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c2c766e66dced7a69e19bb965bf0481b_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2088
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2944

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
7d916dfeb71e0b6164debf9b6852cb1d

SHA1
0814cb797476b59bae059c546971450d04c91479

SHA256
b08c75e60e1c3c1a7f6606c36fc4435b7ea6b5a0be9dae9b05bdaa8b04ceeef6

SHA512
ee40fdfcede1448debaf427a544fa9813f91c4c69fa0a8fd66f7448f28dafc5ae10e94353009bf0802a59418e672d0eb9fdca6e8fdb783b4c2cdc0beb12b8779

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
89ce86266f7fec4c90b79efb2069ce9c

SHA1
cbd7b3c2f491ba1e9f0d2447abaf3a6c7d4b6a3f

SHA256
a6efb3afa0f8ecaf208c62cd7bb3a7c1a722bffc9c726d48a190ffeb3f5e60b6

SHA512
0a7b17b181d58f3a648820632a54332542947d2f1d0b5797267104ddbebcf619c03cf4252856d536bb71c9eec1720adcbd6cc7cfb7eba0895073aa59d270378f

Download Submit