wannacry | c9e2325005df8894b06dc46e32d26705f9738f85afbc353507b954b93305fbec

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef12ed9b26a523119f5223830c012a6e_JaffaCakes118.dll
Size

5.0MB
MD5

ef12ed9b26a523119f5223830c012a6e
SHA1

dfa598f89fb7873ad78bdbb9af42e6b2d4d4ab34
SHA256

c9e2325005df8894b06dc46e32d26705f9738f85afbc353507b954b93305fbec
SHA512

b79b8370401582dc4d40f034f0c34bf98a9a554e840873d4dab5b6f12c8782477184026044184f30b7d7210b3d1f5eed24b378f2da2a5470a069c301887c4ea1
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5H3R8yAVp2d:+DqPe1Cxcxk3ZAEUadtR8yc4d

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3305) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1700	mssecsvc.exe
1740	mssecsvc.exe
3332	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 4120	3516	rundll32.exe	82
PID 3516 wrote to memory of 4120	3516	rundll32.exe	82
PID 3516 wrote to memory of 4120	3516	rundll32.exe	82
PID 4120 wrote to memory of 1700	4120	rundll32.exe	83
PID 4120 wrote to memory of 1700	4120	rundll32.exe	83
PID 4120 wrote to memory of 1700	4120	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef12ed9b26a523119f5223830c012a6e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ef12ed9b26a523119f5223830c012a6e_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1700
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3332

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
659a9ea6acce758834acd6a913e4c9f6

SHA1
91236124a7fa9800b21ca419e1eafc988b258d42

SHA256
f1be0ad232c71707d9ff36f7974bf3793347305767cc2c14301e43b77e83dc35

SHA512
1ce510e32f1d88ef42ae884422c497581563a47caa2412fe6733bee2c563b4185c44912a69b0f35fcd60dd7a87ebd9620bf32d1714b9f752c5423e1099b7e71f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
c3a026fdad60ccd11f4db5848d45e8f8

SHA1
28657c6103e5c9625a21268107a53529c5a3df63

SHA256
f674a6f9463db4bb7701603f45fd6c2f96ff16b4354c7b9d7cb51a1d548a1bdd

SHA512
a16432442838c4a83bca07d74117390efecdd105b591c505d409bcb44caa84300dba3a884a60bfb3ead3f184f50ba2aedf2c41def28aeb801627ce30b393e9ec

Download Submit