wannacry | d9396dd0ff51e3c0ffd34e98623a9057941ff7c0eaf9cb883127cabaa23222d8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4e12b68dcf1742b830a14c6efb064e_JaffaCakes118.dll
Size

5.0MB
MD5

ca4e12b68dcf1742b830a14c6efb064e
SHA1

f2f6e4aa658fd0636911f3f9c1e5a08b80db2c02
SHA256

d9396dd0ff51e3c0ffd34e98623a9057941ff7c0eaf9cb883127cabaa23222d8
SHA512

20c405022a1bcabdff6a18be5f942bcbe17b051b6755bf0e45b9969c5ac5b372d6504c9299e38e84b7787f8aa3f7df175604e422559300f7176d3d4bd879de29
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAF593R8yAVp2H:TDqPe1Cxcxk3ZAFzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3259) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2872	mssecsvc.exe
3124	mssecsvc.exe
5056	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 3852	1540	rundll32.exe	84
PID 1540 wrote to memory of 3852	1540	rundll32.exe	84
PID 1540 wrote to memory of 3852	1540	rundll32.exe	84
PID 3852 wrote to memory of 2872	3852	rundll32.exe	85
PID 3852 wrote to memory of 2872	3852	rundll32.exe	85
PID 3852 wrote to memory of 2872	3852	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca4e12b68dcf1742b830a14c6efb064e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca4e12b68dcf1742b830a14c6efb064e_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2872
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:5056

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ed009d019bc92dbe9d148907dda195bd

SHA1
7a5bc7ed6b9b0cce6b46635cbab86ba582746d85

SHA256
b1aa44f219b327805b4cd3f9695f92812e78334393aa544cfb45b36bc2b337ea

SHA512
adbfc2a8055aaa63ed6a29f9427127ed8e434e2a5978943c2546424c9dc47985ac886ae95cdbd42a01e2f7a47098a55ba3cf3e2fda9561d37ef5855fa69e47fc

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a7b39294f1ef85fb55996c355fcdc622

SHA1
aaf9eca8d73e64acae99b43397656762e7ef87b5

SHA256
74d84e873dcf8f3ce83ab24fd2622881e7f2c0d8ac988c4d804c36554aa54c0c

SHA512
2ddbc8504787c4069693a3ce3470dd4a14d246da4f98e0f1e4522fa02529b18b77c6fc46e618d10cb6cdfeaf211f966e694ca09c86459dcbfbf7b065e7a892ae

Download Submit