wannacry | 6448dac72c9621e3ba3df04135f274a102f1ef63fa9dea96938c18c86464a0e9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7e2e75c868e8ea62c1d623b1e05793b_JaffaCakes118.dll
Size

5.0MB
MD5

c7e2e75c868e8ea62c1d623b1e05793b
SHA1

47e1186d8790a98289416d63f8bed3477e0f68f5
SHA256

6448dac72c9621e3ba3df04135f274a102f1ef63fa9dea96938c18c86464a0e9
SHA512

41f55665206dec4f634f85dd7196c74fa7496232691466cffd1d11d87465a346ab155adb4dd6f3feae670cb8ab2e09a4e893d0a57f05e0564ef1defc0d79266c
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWRAVp2H:+DqPe1Cxcxk3ZAEURc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3133) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1432	mssecsvc.exe
3112	mssecsvc.exe
2080	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 1608	3296	rundll32.exe	84
PID 3296 wrote to memory of 1608	3296	rundll32.exe	84
PID 3296 wrote to memory of 1608	3296	rundll32.exe	84
PID 1608 wrote to memory of 1432	1608	rundll32.exe	86
PID 1608 wrote to memory of 1432	1608	rundll32.exe	86
PID 1608 wrote to memory of 1432	1608	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7e2e75c868e8ea62c1d623b1e05793b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7e2e75c868e8ea62c1d623b1e05793b_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1432
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2080

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
e0f493a3dc7c0f5a5d8e96e7c6111206

SHA1
958a65d7a2f95215f7cdc438e52d42f63041479f

SHA256
c62f6a1edc3dada352a5e6cd205f81163018488b72f6d41d7a5edbc1c16b0e31

SHA512
ffaef13972127006e80db7c7def84bc00be5da9080a50e645484fec5e0bdb6c6fc7d9b9d69d2712f09402dc193611361440e3ce46047331937fc71a0654203e2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a3757573cb5a4f5629491d94f1396400

SHA1
0b5fef18df8312adc4fa770c1c74acd1a44bb556

SHA256
d51705fb5e385c313f81e15d173839f853b68db360cdb5d9635ab1757545285c

SHA512
13d8b8b20be79a1bd8e31b85af6d9fc85d7ed40b73c589d78dd5b57cc04cfb646bf6e827bea93f43ed983e8762845cf172cf99ea184bcc6635c369edb656511e

Download Submit