wannacry | 3c7e73a52bab42b0a061f94e9a2ae9ae8a06849fd95cd7e21164d1864847018b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d425e84ff06db0fdb37101daf98d2ab6_JaffaCakes118.dll
Size

5.0MB
MD5

d425e84ff06db0fdb37101daf98d2ab6
SHA1

b09dfea9c4c14a9d0e8dff30cbce982e63bc8208
SHA256

3c7e73a52bab42b0a061f94e9a2ae9ae8a06849fd95cd7e21164d1864847018b
SHA512

d4aa5ddf57e655ac8e7fa57edebdbe51e1366a14f3e6b582baa5ef753f9f847b76fb3a035adcaf9b9bb9dfb1ffa1185a9547570f26b87034056ac0591800b2c1
SSDEEP

98304:+DqPoBE1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPn1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3131) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4088	mssecsvc.exe
4624	mssecsvc.exe
4988	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4392	5080	rundll32.exe	83
PID 5080 wrote to memory of 4392	5080	rundll32.exe	83
PID 5080 wrote to memory of 4392	5080	rundll32.exe	83
PID 4392 wrote to memory of 4088	4392	rundll32.exe	84
PID 4392 wrote to memory of 4088	4392	rundll32.exe	84
PID 4392 wrote to memory of 4088	4392	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d425e84ff06db0fdb37101daf98d2ab6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d425e84ff06db0fdb37101daf98d2ab6_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4088
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4988

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
2245b1475cb106901a9df4fba93ebde9

SHA1
304fe0dc02bcc2c9d403e9b28d236dffca7c0907

SHA256
e83ac599f9c57722cfbd5fbd3f63eff0ff834bec116298d67b5ea012af4d99ff

SHA512
efedade5a3a565b539a7fad9efd5c6567963db7bb1d225624983e0fa27a1ebd24414742cad761d0872db02b46f0b0e539240d6fee5fa21769cceb2acb2215231

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
3193c92a4180f57c23539f6ebe6b8867

SHA1
c819aae3bda07c61fa9e0f0bf6f71cdbb203b41b

SHA256
f5709e480013599ba602588273e5ae053729a9660062f7c3263acfe8e6d21188

SHA512
7668c6377c6fe55c9ed92eb0fbfe1c7da60f4d65e727a1ad6e127b829f25e21093f155a4e61ef0e6dcdd5e268ee73ccdd39228ef7312279287151650fa93bb96

Download Submit