wannacry | 7edf2165721db67e23555aaa7446cce29e089705a66012a03c6de68fafc537e4

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ede9d49388b15efdf429fae061eb195a_JaffaCakes118.dll
Size

5.0MB
MD5

ede9d49388b15efdf429fae061eb195a
SHA1

f2c067cc448faabce2cf53ef36aec08936e83831
SHA256

7edf2165721db67e23555aaa7446cce29e089705a66012a03c6de68fafc537e4
SHA512

1159cc37b200e53ec1c56f1ec11ee3c9250d76cfa4c22e20552189694f6d87b46bb92b97f1541b387751d0772e390ba47b45a435076dddeb00113e0d2bcc570b
SSDEEP

98304:TDqPoBF1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPW1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3362) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4472	mssecsvc.exe
792	mssecsvc.exe
4444	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 4820	4648	rundll32.exe	82
PID 4648 wrote to memory of 4820	4648	rundll32.exe	82
PID 4648 wrote to memory of 4820	4648	rundll32.exe	82
PID 4820 wrote to memory of 4472	4820	rundll32.exe	83
PID 4820 wrote to memory of 4472	4820	rundll32.exe	83
PID 4820 wrote to memory of 4472	4820	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ede9d49388b15efdf429fae061eb195a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ede9d49388b15efdf429fae061eb195a_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4472
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4444

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
4d1934a213eb3aa074a00c39033b54be

SHA1
f3652f68d119574d4187fe3580a27326ce13e6bd

SHA256
53363558a832ba3ce47137c0bfe5001f51eb83a80fb8bea4697e3beabd335461

SHA512
85f4a4cb5cc737d3ea652f9c002dd0b356bb37041bec7ac8c0d3df1aeddbefef0b632aa5c54540cf22ed388ed47bc294780d111cd2e945f6622c035b3fb96117

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
d7ba97b96502b99fb189f0071b2378e2

SHA1
7a76051e68b0d99d8b4d410f9f64f0a13fc9e1bf

SHA256
96bab46aed40e7687bde2ac9b80792323ebdb789dd91278bf44586778e880cba

SHA512
72f39bf5cf628518a8a52d4ccddd20966bcc3b49be9071be7b3ff8801616f0a7759b9c170bbd43fe43d4b8c6d3e58d96e7f30c9fb124412dfc43604fc40aa7b1

Download Submit