wannacry | 41a3bbfa2cad3856bd38582c56907730254327375b34b6936589049f3721ac34

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c56bf13f6008d79d4a61abd78a2f9b99_JaffaCakes118.dll
Size

5.0MB
MD5

c56bf13f6008d79d4a61abd78a2f9b99
SHA1

e64dfd3182fb3932aa526a9c1e803e7152d05f5b
SHA256

41a3bbfa2cad3856bd38582c56907730254327375b34b6936589049f3721ac34
SHA512

20c96190cbda3582db8bb3b38ecfce6abc2c59c2f5aa9dad8f8e0d6c7bbedc34c5a9c4013e903e49cbaab416f2556cd658bbdf853ba14f46c59abdb24cbec093
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0PSrHV7YoZnA/70CUs1pNZtA0p+9XEk:SnAQqMSPbcBVarHV7YoG/QC51plAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3322) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
512	mssecsvc.exe
216	mssecsvc.exe
980	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 5104	1628	rundll32.exe	86
PID 1628 wrote to memory of 5104	1628	rundll32.exe	86
PID 1628 wrote to memory of 5104	1628	rundll32.exe	86
PID 5104 wrote to memory of 512	5104	rundll32.exe	87
PID 5104 wrote to memory of 512	5104	rundll32.exe	87
PID 5104 wrote to memory of 512	5104	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c56bf13f6008d79d4a61abd78a2f9b99_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c56bf13f6008d79d4a61abd78a2f9b99_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:512
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:980

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
036079676c72ee8a6f6d1edc3d11f440

SHA1
055cacb6d5bd4353faed6c81f5036fb6fea2629c

SHA256
b2374ebd0bba0c343cff2b282d8419be7fa87755a1d28b7c2e9586cfebe7e6b4

SHA512
541509383cf4a9939bea546ed72c4eabb8e48a90878dac13e82c8319f95303c8713a4355da60bd3639c13bad3a3fed2dd4e5dd766001c256ca372486b9dc698f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
570d0a9ff9259487a9098307b2382680

SHA1
a1f78e18c9afc6a177d318f717c7670980059527

SHA256
f599ccf76383b24001a15a46d197e33aea0d21697d1834be20e435c9ec1fe421

SHA512
6e49fa01d5f73dc64c36dbd7aa368312c66c6deaad71beb5a9a5fb8c7e94985e86edb509439b6abf5d94acdf84d6b750e68e667c8c8de01e197a18f2d3e14660

Download Submit