wannacry | 98a2d733cd7c53b41d919332fa433a20b3274b26557382a88cd8dd6e8d4fdae4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4fa0831a187a3ad3f6fcc163bbbd765_JaffaCakes118.dll
Size

5.0MB
MD5

d4fa0831a187a3ad3f6fcc163bbbd765
SHA1

93ddc17a6af5e0ad17b016b9d941ea3d94914c3b
SHA256

98a2d733cd7c53b41d919332fa433a20b3274b26557382a88cd8dd6e8d4fdae4
SHA512

561c3741cb71d6b9254a592539574d40112dae7a826732f41227b72b65c40219514218024d68eac567a5906d3e52d4a7d8390c60e8b16be6cba79a9746a966e4
SSDEEP

98304:d8qPoBhVRxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qP+xcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3196) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4248	mssecsvc.exe
3904	mssecsvc.exe
412	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1160	1696	rundll32.exe	83
PID 1696 wrote to memory of 1160	1696	rundll32.exe	83
PID 1696 wrote to memory of 1160	1696	rundll32.exe	83
PID 1160 wrote to memory of 4248	1160	rundll32.exe	84
PID 1160 wrote to memory of 4248	1160	rundll32.exe	84
PID 1160 wrote to memory of 4248	1160	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4fa0831a187a3ad3f6fcc163bbbd765_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d4fa0831a187a3ad3f6fcc163bbbd765_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4248
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
708a58cb60ddbe9fe2ebb63f35c940f2

SHA1
b82ca0c0cb760ab16e8cdf275025fe7ae92441ee

SHA256
d59d6547052ae1a0fa57d331924d4dff44a66978330993c706a7f186a7f59861

SHA512
1be221823d9669f2c50cd911d28ef8bc20ea83e9c66de1d4080ac1bdd0d69e49409042a115ec023496b3b0f4c39ccee3a8f6c7466b496284388027ed20c0d004

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
cc369d4124024e02b6ae4f09dc0fcc0a

SHA1
c92b01e36a7aa382eb863fe1acac3a0a12187aeb

SHA256
5145d64cd8cf3fffea3b7f343ed8d1e97d485c1bd2e3189fe9246675506fda83

SHA512
038e5a21eee7adb1e939085e02284760375579e660e2fd9275a878bc5bf9fb678eebfa4a489bc70fd239bcce8c2ce8132201817bf248458c5ef3926ae836efeb

Download Submit