wannacry | d0a45c51cc535e01462574893b4ba72c8273fe42fd6bfcbb8fb5e38876ba2962

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c69c3426b0a18a32fd1b92141de9f31d_JaffaCakes118.dll
Size

5.0MB
MD5

c69c3426b0a18a32fd1b92141de9f31d
SHA1

51d7b7136d3ec9245c1214c5d360abd862ce1014
SHA256

d0a45c51cc535e01462574893b4ba72c8273fe42fd6bfcbb8fb5e38876ba2962
SHA512

43596018faca6445ef8780ff25a2856204a62f78d09fa0be0c05f2cc5f064a914ccd7ae0cdbcc407d4f8ebd98c3aaf9e7072a497d3c140772619350e37147751
SSDEEP

12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DhEh:SbLgddQhfdmMSirYbcMNgef0kE

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3071) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
5084	mssecsvc.exe
2216	mssecsvc.exe
2860	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 4524	3864	rundll32.exe	84
PID 3864 wrote to memory of 4524	3864	rundll32.exe	84
PID 3864 wrote to memory of 4524	3864	rundll32.exe	84
PID 4524 wrote to memory of 5084	4524	rundll32.exe	85
PID 4524 wrote to memory of 5084	4524	rundll32.exe	85
PID 4524 wrote to memory of 5084	4524	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c69c3426b0a18a32fd1b92141de9f31d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c69c3426b0a18a32fd1b92141de9f31d_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5084
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2860

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
814f1daeea574c54d512310ae637d5ef

SHA1
9920197a078d478aa6d652f1e259f73b8db0ab1e

SHA256
c821e8b9bc563261fcb0b77a609f985cfaefb95632fed490354a22405aa4e04f

SHA512
1205458d6e68ca740a9d652866bc8a5b82eb41429851dcf140b72e65ec2c83f681ed989a0bf66db33d288ea08264d3d9948dccc00fa2910320a37f26b1d57c30

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5b3e283afbaaff955e2bd68d820f8f32

SHA1
e2f9953f2ac7f04235a8759a5479445592e45937

SHA256
fb8949f7c56530ab2bb227c2f3967e2305331b4d4f2aa6e4dbfdac7020f52e43

SHA512
bd262b1cdd5efeeec854f177ac7f857dad6d39c5fb60165aa4d59d3cd9e667e25116d7ce097e495f3c4ad27d362e02ddc826f88581a13bcbe0db1b63f3216f26

Download Submit