wannacry | 68ba4f71995025612f70be0c0ff6f0578781f1c144aa24f2928f370c45503b60

Resubmissions

27-08-2024 15:01

240827-sdz9zsxhrl 10

27-08-2024 14:55

240827-sam59awdna 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c535d0ca60d2e77f3f849a6ac49a38cb_JaffaCakes118.dll
Size

5.0MB
MD5

c535d0ca60d2e77f3f849a6ac49a38cb
SHA1

b55644e0bfde458e34e144dfe52e5f08f8af2da4
SHA256

68ba4f71995025612f70be0c0ff6f0578781f1c144aa24f2928f370c45503b60
SHA512

89cef15c22eca56990d8321269798db3f6b5a581217a93908306f155f64fad2ef9a43f83bb2bb79f3c7f7ebc308ce6622e23fa755ebb33cb0319d29c5b7f3f2b
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8y:+DqPe1Cxcxk3ZAEUadzR8y

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3199) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3688	mssecsvc.exe
1936	mssecsvc.exe
4568	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 716	4916	rundll32.exe	84
PID 4916 wrote to memory of 716	4916	rundll32.exe	84
PID 4916 wrote to memory of 716	4916	rundll32.exe	84
PID 716 wrote to memory of 3688	716	rundll32.exe	85
PID 716 wrote to memory of 3688	716	rundll32.exe	85
PID 716 wrote to memory of 3688	716	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c535d0ca60d2e77f3f849a6ac49a38cb_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c535d0ca60d2e77f3f849a6ac49a38cb_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3688
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4568

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
13811dea41a16129e6e56da385071e0e

SHA1
8aff71e7e582163b3732f3e690113c534ead5415

SHA256
eae935145d83468cffc8090750ab5979d0ada29e332715ce6032de77a7b2f04c

SHA512
3ef5278264616aaa8d7d6f393bc159f4eaed7c5e8ba420ce7291fb51723ae7585ddee5976992c491aa7099e65955d65ed8f2086a5c5dcae9d09b4e77ff6d149b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e74eb6fa2a2bc4b0d243cdee618e9819

SHA1
61f6f281b2436acf2b1fa054ceb763c280d535e6

SHA256
7d99aaa426e4f057185168d127b7bf57f13fc971e486af58c85a0d10ee930616

SHA512
400dfd700b79db143949845a97122834676f64e0dc0a068f02b283e6fbb0fb52c33d44b5ba5a39de191e72a72da78a2d98dc8b4b2f0dd52fc0995b1a1a5e49f3

Download Submit