wannacry | a1be321e8deb8ef6eb3e326b1ef9d7dfc1cfe7e86bbcf9f5e2573c1b77f858cc

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0c9b9dcbdb09dba7aa7e93df33e8883_JaffaCakes118.dll
Size

5.0MB
MD5

d0c9b9dcbdb09dba7aa7e93df33e8883
SHA1

9095d247ef63b8b2001723c18efa30642fc7cc71
SHA256

a1be321e8deb8ef6eb3e326b1ef9d7dfc1cfe7e86bbcf9f5e2573c1b77f858cc
SHA512

c4382e91a68fa647c0e640ba4282b42bdc988332e1963f55ae54d7bd8883a251e2fa500923853163d89a996bab8b85e1060d56159c0b6d074df245320ae0a007
SSDEEP

24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoPccEAHYkRGra8oQPe:SnAQqMSPbcBVQej/1jZROAx

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3321) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4972	mssecsvc.exe
1588	mssecsvc.exe
232	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 1552	2632	rundll32.exe	83
PID 2632 wrote to memory of 1552	2632	rundll32.exe	83
PID 2632 wrote to memory of 1552	2632	rundll32.exe	83
PID 1552 wrote to memory of 4972	1552	rundll32.exe	84
PID 1552 wrote to memory of 4972	1552	rundll32.exe	84
PID 1552 wrote to memory of 4972	1552	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0c9b9dcbdb09dba7aa7e93df33e8883_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0c9b9dcbdb09dba7aa7e93df33e8883_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4972
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:232

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
55fb36e09f5078f74a4c1375e4731f5d

SHA1
ac377096256b11ec4509e10a6db952228aebf593

SHA256
da57bc5dd6f0995e6f2a86a8dac7eefde4be805e0312e359bb55fb088efd9070

SHA512
a4e515d34c972b86e55ffd5d2ee67927d2806d8765f10498a89de6b2db7bae93a6ca2719819bda36ad71de212b788b5e80bc4c4cfc85ffdfaff7c6b586695220

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b821d98a86e4b1252b0306c4e5c6a488

SHA1
0acbc89bd647b9a2afc59958c5d81cd2f4986bc2

SHA256
bb28f332bbf787f0b57a9da19a90c1f6002addcc905c22b3f606d45780dc792b

SHA512
a79342449e8b784bb755f3e8b12a28c341dc747e9f63f1d904d642aff92d5a4ff227f1eed287919b7f9ea58645374470d39d020cb4e63ede045e674155f881af

Download Submit