wannacry | eb11b846d7ef2b182b62208dd121664aa4612f98829a9bf74788216574d40531

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1456cd4c4ac76ac481a2f7d476f9401_JaffaCakes118.dll
Size

5.0MB
MD5

f1456cd4c4ac76ac481a2f7d476f9401
SHA1

3be3b52e3eddeeb94ac9f74b4b4e536a73481ae0
SHA256

eb11b846d7ef2b182b62208dd121664aa4612f98829a9bf74788216574d40531
SHA512

0c3a00bb5ae43a90550da863e9f0ac4365b135a07d63ad8adc93ab310648114fb2cf4d5e6f733f5400777a50a2968f4dea738667d93f47d9b6983d36e6f004ed
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa99593R8yAVp2H:+DqPe1Cxcxk3ZAEUa3zR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4420	mssecsvc.exe
688	mssecsvc.exe
1512	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 2632	904	rundll32.exe	83
PID 904 wrote to memory of 2632	904	rundll32.exe	83
PID 904 wrote to memory of 2632	904	rundll32.exe	83
PID 2632 wrote to memory of 4420	2632	rundll32.exe	84
PID 2632 wrote to memory of 4420	2632	rundll32.exe	84
PID 2632 wrote to memory of 4420	2632	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1456cd4c4ac76ac481a2f7d476f9401_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1456cd4c4ac76ac481a2f7d476f9401_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4420
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1512

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
cf7de0889b597372e25daf084e829b7e

SHA1
667b2f61a604f089848c409e411d2f6c3a9c27f2

SHA256
3c045c1ed075008267455b90cf105e27f5475d98d2e9636fa8cddd24fc0d50c8

SHA512
a88fde3ec3c723f95996c2ee4f79d4550c511b4563e761c7bd384181b12830e676cf644bc9e9a8435e50b0735338842299dd5b00d724c00d894a75e314db6d5a

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
aa640ed7300ba5daa6c63e86adbabe72

SHA1
eddf6d27b589d6535c2469c9b9a5062712e36adf

SHA256
4acb29f6461abfbc392bcc912801988d0c1f9c0a44f9ba5d55e96a3598e4ecf3

SHA512
bda13354aeeb2c0dbbef8b181b585170a52a200a26b5447a93214c27d8982fc1f95c79599609e2c93e6d34d5dee9790240608dbf9be96df24e9bbb184236152b

Download Submit