wannacry | 0dbe3f5bff86d59ee4f30c425a8ebc7005c76d98ea77676fd9cd6f42d6a4dc30

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d92b2286415e3f93547a22c3c0eb5760_JaffaCakes118.dll
Size

5.0MB
MD5

d92b2286415e3f93547a22c3c0eb5760
SHA1

2bb33b0cc342df2e6ebdef009d5a173370971ba0
SHA256

0dbe3f5bff86d59ee4f30c425a8ebc7005c76d98ea77676fd9cd6f42d6a4dc30
SHA512

16c1e2d921d4146e547c831168e4c87b26d21626ec905a26e37becddc9faa820d38bf3df9d47a8dbacb57fa858df17709126b46d524a81fba17c2606ba43de20
SSDEEP

49152:znjQqMSPbcBVQej/+INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:T8qPoBhz+aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4016	mssecsvc.exe
1808	mssecsvc.exe
3008	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 4996	1748	rundll32.exe	83
PID 1748 wrote to memory of 4996	1748	rundll32.exe	83
PID 1748 wrote to memory of 4996	1748	rundll32.exe	83
PID 4996 wrote to memory of 4016	4996	rundll32.exe	84
PID 4996 wrote to memory of 4016	4996	rundll32.exe	84
PID 4996 wrote to memory of 4016	4996	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d92b2286415e3f93547a22c3c0eb5760_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d92b2286415e3f93547a22c3c0eb5760_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4016
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3008

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
74c3064683c4bcd4cbd91e8229eacab9

SHA1
72a8917bdebee1b332fe5840611cacc5cb84900b

SHA256
91a1d5890994eac03d50ea65fa9e945f963dbb6bb16c9b06cd8e58862bf99654

SHA512
3bebf03ad4d8d5799d6c61747b4282e7748c865d382e490314c1bf7749482a8d1ef64852ea0c5f44dac973bde8075f8c385c1251d939b8e799daec5b9f47eae2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e9d695d4309a3625e48b93b7ba19a1c6

SHA1
14448a26fbccd158725e56f178c66fbcab6868be

SHA256
4ac35aa0531516659920f106dd39304b46f0c0f567f6e664250b0fbf59c2c041

SHA512
cf3e7bd22c68a5bd7825d20f9af5ccb8092ef2cdef011764700738fa214497aa79e43aa95f6713c969c1ba82e1038543c6ada633eef4a14e5ee6c10bba208577

Download Submit