wannacry | 0809317cf171214134b95e7fe30cfbdb4cd084b80fee2dd72e3f730815d61815

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cee148b7b90b060e652b8421f8e53642_JaffaCakes118.dll
Size

5.0MB
MD5

cee148b7b90b060e652b8421f8e53642
SHA1

91a9909f9521610b625a73b9227390ea55e97489
SHA256

0809317cf171214134b95e7fe30cfbdb4cd084b80fee2dd72e3f730815d61815
SHA512

07438f66601e64249745bfbfece767f48d3ded823096d33a8ca20e02483ebdae7c1eff48a3e0b2e1b95de1c34d949c2209618b1b2e20c6f40b8b4294f872a2b5
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9LG5CRxvb5aj:+DqPe1Cxcxk3ZAEUa0Ynb5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3287) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4044	mssecsvc.exe
5012	mssecsvc.exe
2400	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 936	1100	rundll32.exe	90
PID 1100 wrote to memory of 936	1100	rundll32.exe	90
PID 1100 wrote to memory of 936	1100	rundll32.exe	90
PID 936 wrote to memory of 4044	936	rundll32.exe	91
PID 936 wrote to memory of 4044	936	rundll32.exe	91
PID 936 wrote to memory of 4044	936	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cee148b7b90b060e652b8421f8e53642_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cee148b7b90b060e652b8421f8e53642_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4044
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2400

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3036,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f459a272f0b06eb567553eca31d3fc38

SHA1
820f1384a2752aaab94c21ea6d23cbf7785efec2

SHA256
897012fa2f6fc658de3de18fff61139f0f78aa9ebe758158afd22bd9eed269e6

SHA512
e6388456f021099ceb8d703278a985433ff01276237ab519fa133ea1235060686965a507080e8c2201e0642a336b07ab75b59346d97bfc356ab544b5424a3140

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
97696d5c99f35a12007b5010944f6615

SHA1
9f3e300de6a18ca274e6b762c8dd35a7195f73bb

SHA256
860185214d80c72e9f7ea3009d232eb0f4b5a85691f939f246488ab5c1e18f48

SHA512
85291e4bda60cf5f22a68db459da3fe118f7596eed18b47019bd7a5583203bdfe392f0caa14e4a13e597cf139a986a02438189abff529ca11c63a9ac92465a56

Download Submit