wannacry | 4d260a3d3920aeb59b470b896b5a9c71e1f91c53b3e1a5b543a9365621bfae55

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 05:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d3ae8185b0ad8aa66564279971d87d50_JaffaCakes118.dll
Size

5.0MB
MD5

d3ae8185b0ad8aa66564279971d87d50
SHA1

14da3f31da0dca7ad1823842446c6eda432a65ae
SHA256

4d260a3d3920aeb59b470b896b5a9c71e1f91c53b3e1a5b543a9365621bfae55
SHA512

525583de612b9fce772850ca1685bd5b6d6458d0f3bd2ab41e0013bd419ee2ac6e68bafbf6ba3a3e73aefd272faef8a0c2f5d7a8bcafd7f77a85c6ed0dd6addf
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp26:TDqPe1Cxcxk3ZAEUadzR8yc46

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3175) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4612	mssecsvc.exe
4904	mssecsvc.exe
1180	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4064	4912	rundll32.exe	83
PID 4912 wrote to memory of 4064	4912	rundll32.exe	83
PID 4912 wrote to memory of 4064	4912	rundll32.exe	83
PID 4064 wrote to memory of 4612	4064	rundll32.exe	84
PID 4064 wrote to memory of 4612	4064	rundll32.exe	84
PID 4064 wrote to memory of 4612	4064	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3ae8185b0ad8aa66564279971d87d50_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3ae8185b0ad8aa66564279971d87d50_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4612
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1180

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
bd973e81dfbd9eb522fb247a7bc456c8

SHA1
6818741373e41b036eca2065967f79064c5cbab4

SHA256
36babed5613a39ce112695ec237385bbba0576b4f0363eb1fad3d846c2179231

SHA512
70c54f1431b694ed7b437edd8953af1de378bdabaf44b654938115f82f5eb5fcc8e4b8572d532565cb728cdbcda9734695fd4b9a08f4313f34fe32486682a383

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7ca87b99fb8fbca750989b9102816496

SHA1
237df7dd5badd539587fb4f8a6a5485d080bdf4e

SHA256
701964356ada58dbd3064bba1f30c0f4a859edacb7be5311fcb9689518a5de18

SHA512
93f92e7c6a3d4de15b64719e61bc5409c7755a7bf3e77064610bdc0a20289f7e3b9508d9bc6e417599495f350186084f99d169ec5f35090fc386537ac0040dfd

Download Submit