wannacry | 9c9e719efcfb386d1022885ade13852c5a6bb71b1b108b283c1bea8764579f63

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb7b2e602f9472d1da28d56c1f7f60b1_JaffaCakes118.dll
Size

5.0MB
MD5

cb7b2e602f9472d1da28d56c1f7f60b1
SHA1

2e0843614511cee5ad2041d0c36af390da0d1696
SHA256

9c9e719efcfb386d1022885ade13852c5a6bb71b1b108b283c1bea8764579f63
SHA512

15f85c586eb19b377cd40a5445824d700d0606a164c81ea8d23d535bb987236b2d7406c486897d79213b1f95a0d747df91320d579b1e5c2c47f6f1f9ba3030ac
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhlS:TDqPoBhz1aRxcSUDk36SAEdhM

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2672	mssecsvc.exe
1204	mssecsvc.exe
444	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 4508	1100	rundll32.exe	84
PID 1100 wrote to memory of 4508	1100	rundll32.exe	84
PID 1100 wrote to memory of 4508	1100	rundll32.exe	84
PID 4508 wrote to memory of 2672	4508	rundll32.exe	85
PID 4508 wrote to memory of 2672	4508	rundll32.exe	85
PID 4508 wrote to memory of 2672	4508	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb7b2e602f9472d1da28d56c1f7f60b1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb7b2e602f9472d1da28d56c1f7f60b1_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2672
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:444

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
5393481cf5883174ef7e6b5f40177a03

SHA1
bf9c5e44727c9cbc1bb7d6c3b0f5a0b855529472

SHA256
a9bad166207a4adabd7d652a99fc4c17d6d1f3e47d536adc29f0383c9c929870

SHA512
1ad7c4d8b825107c8da06eb8e37db6e5ede8f7eef1ed15c86ba301b0ce2865731c9d04eca272ca01a0b739da06444324e1d4113522e7f380396e0ffc7a4718c3

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5dd25d7a454fd352b6ec3e012bfa68c2

SHA1
e1241e4afe4757af64c389b82e0c37a5e271c652

SHA256
873bda658ae4e69c6227b0d09e5a43ed2c41346e30d37c420fe97e02c3ddde48

SHA512
c46b69fb31399298982ee9debe1365b60d22f5876fa1a3f376c5a41d8765756b3fc325cc0417401f90e253a777cdd1eebe8d30d28437a5ab5cc672cc1a827d23

Download Submit