wannacry | 1351f27d0b7e0d1f4700162d4f91dc93bb43a2aefa0ba22f86056bc6444a9703

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7ad80f2f8d5b28983310cefffcf8878_JaffaCakes118.dll
Size

5.0MB
MD5

d7ad80f2f8d5b28983310cefffcf8878
SHA1

5e51b23489c64b155b653669fd8c7fa882bfe50a
SHA256

1351f27d0b7e0d1f4700162d4f91dc93bb43a2aefa0ba22f86056bc6444a9703
SHA512

1af14e752d5e8e492d3f0d576f78674b81b5f15a55474299e6200826a66446c17c0c44a40fc27c60d906d03fabf368287e3707e71b2d46c7e409109307f0cf87
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59:TDqPe1Cxcxk3ZAEUad

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3255) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3112	mssecsvc.exe
2284	mssecsvc.exe
4656	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2680	4124	rundll32.exe	90
PID 4124 wrote to memory of 2680	4124	rundll32.exe	90
PID 4124 wrote to memory of 2680	4124	rundll32.exe	90
PID 2680 wrote to memory of 3112	2680	rundll32.exe	91
PID 2680 wrote to memory of 3112	2680	rundll32.exe	91
PID 2680 wrote to memory of 3112	2680	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7ad80f2f8d5b28983310cefffcf8878_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7ad80f2f8d5b28983310cefffcf8878_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3112
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4656

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
03ccdc10229d03163f6a336c20c0c387

SHA1
ae3932c05191ed6c1f742fdac245a133389ba72f

SHA256
b71c7a761c1fcf2ca362e4464762b760f406d171c4d087b3fa5ac8fef6f40e09

SHA512
34cad2a062a4a31d1b5b3655fa398dbea66fa70c19cdb3725b1ea344d62b605e608610a327b68cb415b51511c26ad270be8d838dd3a050840855a190d8fb9ca0

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5a1596c30f0704edb074358c1b459cd0

SHA1
3a52cbf0571a55c93873a7d9212073ccdfea6655

SHA256
aec6782163a899a2d26cdf3c83da1ab0adae7aeb885270c3835ea6c55e3a785a

SHA512
35a0c6b9bab69f6e689d26a8f3efc58ebd9b0820096005841bc6a37562a7936ed9b2c326c50b3889f538a52a406148f10b060e2ebc3e1cd1a014210919cea24c

Download Submit