wannacry | 16e3da99d0c51b91d0b4d3f3e9f3149b930dbfe529c7b95d5a5e785bb0e7635b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d73547899cfb483ae8eb2dbd5bb2666c_JaffaCakes118.dll
Size

5.0MB
MD5

d73547899cfb483ae8eb2dbd5bb2666c
SHA1

4ac1e6c04930b1108c7f4f8a5603c4b7fced8aee
SHA256

16e3da99d0c51b91d0b4d3f3e9f3149b930dbfe529c7b95d5a5e785bb0e7635b
SHA512

b9f8597163de633821db710e273568f60247a1b189d18cc9455d303f4696be649ab51ba8348dd2ee42f723468c4667914bdf7585db23d474dd6bf796b4825022
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:d8qPe1Cxcxk3ZAEUadzR8yc4

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2168	mssecsvc.exe
1964	mssecsvc.exe
3488	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4844	1028	rundll32.exe	82
PID 1028 wrote to memory of 4844	1028	rundll32.exe	82
PID 1028 wrote to memory of 4844	1028	rundll32.exe	82
PID 4844 wrote to memory of 2168	4844	rundll32.exe	84
PID 4844 wrote to memory of 2168	4844	rundll32.exe	84
PID 4844 wrote to memory of 2168	4844	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d73547899cfb483ae8eb2dbd5bb2666c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d73547899cfb483ae8eb2dbd5bb2666c_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2168
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3488

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ea3a3873e3b3c110a06b888b375dd68f

SHA1
a9689dac58a9b558cc1d720eeb4407aaf4c9febb

SHA256
384546dd4eb80550ae7910c047bd8fedf707f9185e443b9b3076dae95b2615ea

SHA512
6fa33852170229c3c8150f63e9525b1425c0eea927a3481381693b557e8d4c7f7cd1b2dff412889be2cc7a69b27437389ab15229214f782ee119014fc6498a49

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
8f25d68fbe90bc1e59c1e4e9a081825e

SHA1
fc95544f8facc487b07f5659a4c59c45c395a748

SHA256
12fabc042a488d577d14945a2d8d06131ed5228f669efd0110d59c47267dfe1d

SHA512
60f48bb4769ffa61a3892618d0d3f6afce2e029b23c09c49292f6ab261f54eaf43f7b7aed7b421566068dd67e9eb1132ee6a75d96e0098f0841f2b7b5d2ba15f

Download Submit