wannacry | 0f22288db97075f2729ab06f11988e732c59ee66e18278b13316be479046abed

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50e7b86f309889b0b56acd0f0c21254_JaffaCakes118.dll
Size

5.0MB
MD5

f50e7b86f309889b0b56acd0f0c21254
SHA1

b61458218d5f4ea10f9cd5a05a6939c834268783
SHA256

0f22288db97075f2729ab06f11988e732c59ee66e18278b13316be479046abed
SHA512

821e31b74a22963f9e45526d145cfe181b84f77acbc4c6e8f0374f95f6ce6126bd3ddd1076aa8b1e5b7bdd484d5a3e1f841ac1e39d00ef317cf9563a6628b4ee
SSDEEP

12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7Tw+K+DHeQYSUjEXFh:SbLgddQhfdmMSirYbcMNgef0QeQjG

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3243) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4932	mssecsvc.exe
4780	mssecsvc.exe
2160	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4976	4016	rundll32.exe	85
PID 4016 wrote to memory of 4976	4016	rundll32.exe	85
PID 4016 wrote to memory of 4976	4016	rundll32.exe	85
PID 4976 wrote to memory of 4932	4976	rundll32.exe	86
PID 4976 wrote to memory of 4932	4976	rundll32.exe	86
PID 4976 wrote to memory of 4932	4976	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f50e7b86f309889b0b56acd0f0c21254_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f50e7b86f309889b0b56acd0f0c21254_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4932
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2160

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
4043fd0ffaa7b3f86fba3dcfefcbc887

SHA1
e5be39df2be0a3cb2c06c9e7026aa854c7f4b42b

SHA256
00600470e5d25c2f1d01748db6be62485a2f8f6bb0200be3b98349ae5d0ce763

SHA512
910337f52f11f87511edf0307533fa739657558279f9cf48a3e821844da781851520f984443257a0a68112c8ecd07167abf1db3ae4a691bd80b4960e60616914

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
0780b9abd0feef95f6356458a69df064

SHA1
7981ef3edefeafbdffd64d7a28bd9099e355cc62

SHA256
ea6f9ad5d5149a61b43e5cfc81dfdbeafebd88052670c0767ef3091d08143fa7

SHA512
c826d0f1f14b64ea7407a21f414fdfb3aaeca75db3d445b5388f41c09d424cb6741aa5127bad69b049d77fe8cfd0d613b0166ca20f25d74f7602a9fea7f9572f

Download Submit