wannacry | 407ba91edf436760116c38d1737262ee02943a3f7f6a556e394fb62a17585783

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de21664ecc0057751b0d3748657e1ff1_JaffaCakes118.dll
Size

5.0MB
MD5

de21664ecc0057751b0d3748657e1ff1
SHA1

b39324c47c1f4dfc73d05097a17b54072358768f
SHA256

407ba91edf436760116c38d1737262ee02943a3f7f6a556e394fb62a17585783
SHA512

e28cc64aae84422d45bcfd6916c78de6cb99ce468cb6c12b7d25cef0aab02dd247f88b478b72e40562c0a434281a4c049fffde161d7bf2de323d2f2ca6175edb
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3291) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1516	mssecsvc.exe
1768	mssecsvc.exe
3204	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 1976	3420	rundll32.exe	90
PID 3420 wrote to memory of 1976	3420	rundll32.exe	90
PID 3420 wrote to memory of 1976	3420	rundll32.exe	90
PID 1976 wrote to memory of 1516	1976	rundll32.exe	91
PID 1976 wrote to memory of 1516	1976	rundll32.exe	91
PID 1976 wrote to memory of 1516	1976	rundll32.exe	91

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de21664ecc0057751b0d3748657e1ff1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\de21664ecc0057751b0d3748657e1ff1_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1516
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3204

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4004,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
5bca9fec1ccee765ab92f52a7ca1f660

SHA1
a69e9eafd1e9baad233cc977ed15aece2835a649

SHA256
feb05cf63c1bd56e038b81e3f0c44f4c2c8251741eeb205a4954e7ba957f9a88

SHA512
35e9c350e6cf29357265c1e6ae8e0cb64c1aa1409a8c8aca7256cc6b63f4e062b630c69acfa36633deb4f2974c701e8a8956a9669455cb39d84623fa7106f155

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e69e8ed45ca0b538abb9dcf2ab696489

SHA1
b2ae88cfac2dff393ee6d312ad965ed79239cd84

SHA256
705df6507e0d9b8cb1d3928b04823660c935cf6b855dbe5622e18b8295dec180

SHA512
8e416bab77451f667eef5b3eb78ec687f18efebef02138db8428d1958216d2c4c08505cf7fbac22c95939c71a3a202466f205101b3da0e2d719164a23f6ac442

Download Submit