wannacry | d20278b518a4592122279ad93c96fae5ad9fdca4dc038352c794f5030dc6d54c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edbd2dfd6334fb23e5bf3faa24556a4a_JaffaCakes118.dll
Size

5.0MB
MD5

edbd2dfd6334fb23e5bf3faa24556a4a
SHA1

d98673cd23f664b32ced72a47e94c9dfe2fbc41e
SHA256

d20278b518a4592122279ad93c96fae5ad9fdca4dc038352c794f5030dc6d54c
SHA512

793008c5e90e7cdaf986f8d489320ea39bba074797583593345fd344b11e7643862c2849bde9b732cff00144780eeada91f7d51cd235fc5ca30ac014ac98ab8a
SSDEEP

98304:+DqPoBhz1avBiGkEJMkEBaXTddktRzVJr0O+jM1BU8C4q6ohRMkP/:+DqPe16BiKqkEWcZJAdG68A

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3148) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3504	mssecsvc.exe
928	mssecsvc.exe
532	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 4788	3956	rundll32.exe	82
PID 3956 wrote to memory of 4788	3956	rundll32.exe	82
PID 3956 wrote to memory of 4788	3956	rundll32.exe	82
PID 4788 wrote to memory of 3504	4788	rundll32.exe	83
PID 4788 wrote to memory of 3504	4788	rundll32.exe	83
PID 4788 wrote to memory of 3504	4788	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\edbd2dfd6334fb23e5bf3faa24556a4a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\edbd2dfd6334fb23e5bf3faa24556a4a_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3504
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:532

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
432b9974f5d2d125836aa256c0561c35

SHA1
47c9d035c8f3f597f1edf1b30fcefc503663a004

SHA256
657d88e66980b8fd5e59288ff183fba1263e2c07eb743a9e2b2db9b1696fd34b

SHA512
057e64217ef94b2a727928558e89305c8dc830679d2f2511d505b2e670aad9fb40d91df0b561aa9c578a8ac5bc8ecf6ffccc034db58ad707bf424e387c82b2fb

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a544fceb57911ff07042edc3f297b00c

SHA1
c7ab030800401d9ac174475d4429a41731930bef

SHA256
5edc477c1b65657cc143ce3abad4d764c45ce4e35de859313208a3eca9202a80

SHA512
192dd15dde13a8e866536db96e4d68d1e67903f305fe2f770cb052cc178b0504674c4d98d3d9068e34b2fd74733693cb420320d2a8a817fcea9805f1a5e8b13f

Download Submit