wannacry | cb1e1fd195be73533d6d7b56af2b79c87ee7de55da632d3063c70d7c85505452

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d76e42cd409b60f5c1136a69b152dd26_JaffaCakes118.dll
Size

5.0MB
MD5

d76e42cd409b60f5c1136a69b152dd26
SHA1

f5ec1a81ed5328da56053f3ade254a223541b7c6
SHA256

cb1e1fd195be73533d6d7b56af2b79c87ee7de55da632d3063c70d7c85505452
SHA512

ea6f8c419238209aaf31b944849a168f7b661b1f21f825f80e7a1512ab18613a1bda341b9e4b97fc341f3eeba295dd53ca096c6e656c536fae6a6fc2292a6037
SSDEEP

12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900VeT9W:SbLgddQhfdmMSirYbcMNgeT9W

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3261) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4660	mssecsvc.exe
4820	mssecsvc.exe
5104	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4172	2872	rundll32.exe	83
PID 2872 wrote to memory of 4172	2872	rundll32.exe	83
PID 2872 wrote to memory of 4172	2872	rundll32.exe	83
PID 4172 wrote to memory of 4660	4172	rundll32.exe	84
PID 4172 wrote to memory of 4660	4172	rundll32.exe	84
PID 4172 wrote to memory of 4660	4172	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d76e42cd409b60f5c1136a69b152dd26_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d76e42cd409b60f5c1136a69b152dd26_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4660
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:5104

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
588410c60c4d476af94abeac347f78f5

SHA1
aa7cd08b7275cecd3390880d3feb8646c04e8e7f

SHA256
6a4cc6b0af6f97130083f4cd5273b9fadd7909154e3b616e0878d14a8f6f8d28

SHA512
8aa25c5585738e9b83aa21fef2604025b92b6ee4509b0c536f05b60f5dd5c9785d9a0d6b9e29f30977615db62348d2feba9cdf6170a73affcfdaa33259b27c61

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
004e5295a8e65563bc5e827297e4990a

SHA1
8974eaab038f250c0ad40b3945fd1f05c77219cc

SHA256
976b10fd4ead21e37f732a85811dbd3b3f739f98e181643309fb4d3efdd06dea

SHA512
a329fc3dcf5382de6b5f70d5a200ef1184a26af6b8d0d0116f64012d622b3d0f292c7178b75be99ed054612f45accf60ced97840c0d091baf75c7be517ba7514

Download Submit