wannacry | b00dc01a768045681b399dbe9b064a71ab8e49e415211cf35edb4e8c5091595e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll
Size

5.0MB
MD5

c9f37ba6a50dbd9c6b1d151f66e7b021
SHA1

fd82aec0d4f6d49d860a597f7eee952e1b58448f
SHA256

b00dc01a768045681b399dbe9b064a71ab8e49e415211cf35edb4e8c5091595e
SHA512

86cc7f21693ab39def1b7efe6037be77f9690ea00fa8904d2ff408541459d23f711ed8c5cecbdf20adb96001b92841a6aeed81b9660e23350bc1769647bca5da
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5/p2H:+DqPe1Cxcxk3ZAEUadJ4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3137) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4304	mssecsvc.exe
5072	mssecsvc.exe
4632	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3032	4016	rundll32.exe	84
PID 4016 wrote to memory of 3032	4016	rundll32.exe	84
PID 4016 wrote to memory of 3032	4016	rundll32.exe	84
PID 3032 wrote to memory of 4304	3032	rundll32.exe	85
PID 3032 wrote to memory of 4304	3032	rundll32.exe	85
PID 3032 wrote to memory of 4304	3032	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4304
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4632

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
38e02ec4623c82f324ecc9b43418656b

SHA1
38dbdf0a24b9f331177dc48a33daf62b1a6550ef

SHA256
bb350eae66bfbe94e55099d78f6b5926df0bc0960cd45222da275144ebc95d94

SHA512
7b68f24657bc4173cc7be3fc0daf554db81d2769d6ae5f42f77ed9b5a181c009fbd1f8cc249ef4457495bb105e864d48b8729eaadf6b0ecbe65b26599a4fa5c5

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e35598dcb413a66da5474f4ac58c7dd5

SHA1
ad37e1288927561e020922032d73cdc990f05a3a

SHA256
5dba8d2490b4f0f7f71a0df0aff6dd4c23fd50dde7d8ae2d66a9b05e5f7b484b

SHA512
955bfaf5069e880d4481e31e3577233237810b5de170b1722ec7bb9cf657f267ebfe82040a309656a9c05d658ba297422463cd69524ed125cf6b91c4699c679b

Download Submit