wannacry | 3214a6bc1516237a1dd43a7362e4c5d8a48528aeadd8151eae8e9030fd98f273

Resubmissions

01-09-2024 15:27

240901-sv2jdavbrq 10

28-08-2024 14:14

240828-rkcltstbkp 10

28-08-2024 13:53

240828-q7akba1anh 10

28-08-2024 13:48

240828-q3313asdkq 10

Analysis

max time kernel
42s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6f93103b29652dbe18510ea58016058_JaffaCakes118.dll
Size

5.0MB
MD5

c6f93103b29652dbe18510ea58016058
SHA1

99f707cdd51c938b85b43413d982325919f18cd1
SHA256

3214a6bc1516237a1dd43a7362e4c5d8a48528aeadd8151eae8e9030fd98f273
SHA512

4a243ef4bf2ae2b01030c00f576c4c83a378f280e03f356c7298d5eaa41720722616da5dd7e4466b572158e658a01b92e09ff245b9c218949945e061bb40980d
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM:+DqPoBhz1aRxcSUDk36SAEdhvxW

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Executes dropped EXE 3 IoCs

pid	Process
1716	mssecsvc.exe
2488	mssecsvc.exe
3420	tasksche.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1236	4768	rundll32.exe	84
PID 4768 wrote to memory of 1236	4768	rundll32.exe	84
PID 4768 wrote to memory of 1236	4768	rundll32.exe	84
PID 1236 wrote to memory of 1716	1236	rundll32.exe	85
PID 1236 wrote to memory of 1716	1236	rundll32.exe	85
PID 1236 wrote to memory of 1716	1236	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6f93103b29652dbe18510ea58016058_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6f93103b29652dbe18510ea58016058_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1716
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3420

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
8bcc3517b17394c04e305a5a31fbb5d6

SHA1
8e789cf5b8d483691554d6315212b00fb0f2727f

SHA256
c5d66f91b1b6b9ff6be7ca61ed7989b02d753b182959878db5b5dac064444b4d

SHA512
5137ca1fb369ea7de967307f9038d098562b257f2f3a46fda69e0d8312253b5b61ef2848dae389ea59a9f75a56acab42956b82916690ba1d3f0ce10e3c7e77c9

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f22c104bdced739dd330228c7818f972

SHA1
c79950f1e331f6d005e469843a6927e8d1bf641f

SHA256
0e4d85f35083e1dac36ed2533d945f4c1b81455241ac5b319680613d833e8b95

SHA512
87312affbfd18d35652f136480ff73cdc7e6933af46bcd2116603776fdc7ac57d38585459530d317d5ca2b2ae560e57ec426b70de9cfadc48625962d9aa022f0

Download Submit