wannacry | 466f166d55d8755f3b2f77b3150493e7a255207f6ea8d605cc181b16fb3b6d13

Resubmissions

28-09-2024 13:56

240928-q8x21aygnr 10

28-09-2024 13:47

240928-q3nals1gjg 10

Analysis

max time kernel
1800s
max time network
1803s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-09-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc6d185cdc6364146888277e411fbf7a_JaffaCakes118.dll
Size

5.0MB
MD5

fc6d185cdc6364146888277e411fbf7a
SHA1

1a45cb794dae0c3d7dee4c94891ccc2b1706de65
SHA256

466f166d55d8755f3b2f77b3150493e7a255207f6ea8d605cc181b16fb3b6d13
SHA512

a9fe75a5f809b7b19803828eda187d8ca96555581ed718d470c9387f8cab9f32601c85554f7b7483565b1b9bf0a0656cc448b016d6fbfb255bbc7e11e5dc7984
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8y:d8qPe1Cxcxk3ZAEUadzR8y

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (34024) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1204	mssecsvc.exe
2900	mssecsvc.exe
4024	tasksche.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4468	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 656	3428	rundll32.exe	73
PID 3428 wrote to memory of 656	3428	rundll32.exe	73
PID 3428 wrote to memory of 656	3428	rundll32.exe	73
PID 656 wrote to memory of 1204	656	rundll32.exe	74
PID 656 wrote to memory of 1204	656	rundll32.exe	74
PID 656 wrote to memory of 1204	656	rundll32.exe	74

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc6d185cdc6364146888277e411fbf7a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc6d185cdc6364146888277e411fbf7a_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1204
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4024

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ApproveResize.crw

Filesize
276KB

MD5
2d6b8816e1c14bcb8fefc271b9725c46

SHA1
e2d78a93d6fc2f2a21e2d341e9ff66f5e1f68c2f

SHA256
ae19d4f6d393b64ce89a80a4565732800f170dbe90c497b62c33f16476be74e4

SHA512
ddb67235ac38261347142cae9f5c80469f4fe198d0764f33894b7f0a54d520364ee7f0bf8cff507a2c78af0930c102a21b9d799718ee62959bc0f7f6aa408f12

Download Submit
C:\Users\Admin\Desktop\CompressClose.mpeg

Filesize
384KB

MD5
ebf12e5b533dd6941f19a95c0065d529

SHA1
f92e7cef919fedc8e6cadd123c8ff31b9944febb

SHA256
e75c6d2b135de057c88b253a0e3aaf79dbf80abac16f9736ade9f58125be46bc

SHA512
8b7befd6ed49bc30b1b8f4e3187dc3fb691a2f23561bac7d1f34da0f849225027d20743667d75553249068f76203cc8fce40008d48966895e310fdf72cf1efe9

Download Submit
C:\Users\Admin\Desktop\CompressTrace.mpeg3

Filesize
430KB

MD5
47bf3cb7b70c38305a79814b331aadfa

SHA1
afa36e4f068d3309e7cc56b871bb6939388d9332

SHA256
0867973d34a7c3c634f994c85088241f2d73f377536a230d1575717485b65f28

SHA512
15651b3f5a1fe323b252eef808c60619386c80f8c954f76d5a38784c23660bda05d35de1835b795f61584bece9c1dc693a8efec478d88c01174f55832cca53bd

Download Submit
C:\Users\Admin\Desktop\ConvertFromUndo.gif

Filesize
245KB

MD5
10ebc662918a8a5efa2c5f45e0b7dbc6

SHA1
33dbed1cf993cd9ef2f5321a51e64252ef04d8ae

SHA256
19b4f5020fe43a0c4ed573a948da224f66c9a72d2dbcaf3fa82b8c5e588ab149

SHA512
6ad99cad836c64514559bc2574a6720c465a4331282460eb1d565ede465945810a364b86e9d96700295cafccee332668328f4f8eb13e7a3731cede9171f9cb55

Download Submit
C:\Users\Admin\Desktop\EditDeny.DVR-MS

Filesize
399KB

MD5
9df9e56c0f3c5608da0aee5a5c5113fe

SHA1
709fe81b24557518f5f880174a52b0da9384c876

SHA256
7d41241118aa93320d61074727861d294833cc6e4ad2bd03e4dfbc879e2e6aba

SHA512
397c5ac3cd72a38149e06f17691f4956e22b5a93fd56ba5614051e985171807448e05b7c7cc63e1e166138b9a5668d20e959a8af0781b4db996eb416c47dcc7e

Download Submit
C:\Users\Admin\Desktop\ImportRemove.3gp

Filesize
168KB

MD5
78140190aa53444aa392c4748ea27054

SHA1
b4741f53c29bfdf1296db866e928bc592020a324

SHA256
7e5ce321fdd900c95cfa07efcf65b2b81eb5b9dee81a591313e8bd0fe8847035

SHA512
c39700adf10aa94465f8963899fd75bfc49e5f06ba51cc36c7d115cdc4e7e0979c783c0303ed6b02ce3932ce5dc0dece3ed67bba96498bc987919d6fc9e89df3

Download Submit
C:\Users\Admin\Desktop\InstallNew.mp4

Filesize
598KB

MD5
6e8237a86dd772a362509c0586c82572

SHA1
ac951ec9736cc8f235ce3e5761e9d95ac9b7486a

SHA256
5079992d9203993b411a9ea4bb1424891db48425a85a99d8af1120cd8cde8c94

SHA512
32085695b2f0a091a3f0588412ffe5aad56e6240323e7250ba70bd110321c5ad88bbce0111429138a310ae012524fd3618211f25a83454999c245847e8a02ef2

Download Submit
C:\Users\Admin\Desktop\InvokeSync.edrwx

Filesize
307KB

MD5
10c24e3a08d73c26ce08113d093dd78d

SHA1
19e2eef8456cc3a80c9a5bfc5f97c4b496b4b975

SHA256
de565b2d0d273fd732c10108647be1e3d199d5d44133a646417fd7680ecb1482

SHA512
a4c46bd19deee31faa8f32800b898b44d036268ce8ff5d53f403805647842be34b35af47af9cf12b9bf797ec391f64b92f059d0b71a9c6b77e504174a8856c3a

Download Submit
C:\Users\Admin\Desktop\LockWrite.cr2

Filesize
291KB

MD5
69467e3d9773855a5b62cc2d5eeb3367

SHA1
8b93c6688c7e4a13148ae2029ba817c145982802

SHA256
f351d04e0a69e1dbeb6ee6071b920108d7e8289b6573c9beb2af0a6313eacf0b

SHA512
be8fad5b59788d111709f847eec1518e1f2a0d01e517ed011fe37925e88ef02440ae44e4efc2fede64e99a06190db352128d09d1ae84951ed6057ccc3d654902

Download Submit
C:\Users\Admin\Desktop\MoveMount.xml

Filesize
322KB

MD5
d079dea3638930551e26f38a27fae252

SHA1
40baa9f5111ca9fa63e6f4913a1070fd75777a90

SHA256
8615bd5618587401ead03d2cd5a494aee278f032a60ff9fa0bdece42c008e1ab

SHA512
5f1a436c7b697908a2ff064db1836d0eec3a1fd5e5749638bb8a9f5094a7486410a3d1e704f89d0f6051050beacd5451636b970bca1746c2ec27e3d8f9fe4145

Download Submit
C:\Users\Admin\Desktop\NewSplit.mpa

Filesize
353KB

MD5
b109892836505b5410eb796af2b63e87

SHA1
35934cd6c0a49d75ae9626b26466caeee3f0ffe8

SHA256
9e65740b4518c96200af4080cd0b39b1012d3ab6273b2326de59ccdf8842223e

SHA512
5e02481a8810e2a1ef56c19d58cc54c2f31f9e4be91e6126535fbce60c6de04dc63a1672f4b863f3266af647c62665f4cbc929491ce9a2869be55a5309f7a41c

Download Submit
C:\Users\Admin\Desktop\OutUnlock.mid

Filesize
414KB

MD5
7dae006372018cfbcdfa353ded336863

SHA1
20de4f94681cda31fbd5dcef4058fa1c67875d1e

SHA256
9f42a3ad2fdd04ea8bf5206c1ff3c0c02a301f5f9d864b321fcaa72fc7d32356

SHA512
bdd74f4de43d561fd65cb069adad5177ad59d6b1b8dae23efa67f41f5bd53499ed03d0a9a4e737e46115342eb6ef58232b5d12be80d5c29813e15d2c2e1eba98

Download Submit
C:\Users\Admin\Desktop\PingUse.pdf

Filesize
215KB

MD5
b3903645bde45fb90419607849d55516

SHA1
7f2532533a2cd710adb3b354dc602d930ee0375d

SHA256
dd29c96f0e526d193e8dd1316ceb75e31d02e779082342263ee92b3d5800ea8d

SHA512
6bddb355a372789821465fca5c4cba4ec2ea3c339293adbff90c39301137517f7d3072dc51ee6a0f595c58eb9ef4ac0ca4e7fb8f0dbd596f9017a07142b7e5a6

Download Submit
C:\Users\Admin\Desktop\ProtectDismount.mhtml

Filesize
261KB

MD5
12196009731a6e26b39424ae7b3a6be6

SHA1
1fa630e736715e8cee35d6d85b099e30d4284e45

SHA256
ed77d826715e94aad724a1af4a51cfe64edefffdbdd63be6a787a65d82b59c8a

SHA512
051527ef3665d06c49a2aaa575f250e0fb6d93b0bf7d99592ecd896a781d738e2a26361e021843bb683e842b82f50f4720b3e45ab721294fc00a1559fb5c642b

Download Submit
C:\Users\Admin\Desktop\ProtectRepair.dot

Filesize
153KB

MD5
957a2bed4efb0c27fb34222cfe6d913d

SHA1
beb3c7d56ce62a48c24408f356ad948771575c6c

SHA256
d5817b45988701efc0344e4f9abd97b22a9938a39d9d6d63869d4dce4e9b6253

SHA512
d84531411c49b87cdbcf7388e8286bb233693a54ddabf72856e5767912506ff60e021d0d17ff5045c3b115b6f7039ba9ce983f35f9f4e3ecab4e4be864be32bc

Download Submit
C:\Users\Admin\Desktop\SaveWait.mp3

Filesize
337KB

MD5
93592d37fa9b9c047c73c54ec51a62a1

SHA1
25fd25b7b4464c4e0b53df0813b9d10688ec0282

SHA256
761a2e422ea9453f9e7fed7171f5cf2d0e15c00bb7dd78e7452f950ef9df75fa

SHA512
3423a3505138073b7840a9bae115f6fd227643da5936de394f74f36256adc2562d696a2b537e537843be88233b2dddaf6621ba7b7b9ce631f8a0ad8452cefe32

Download Submit
C:\Users\Admin\Desktop\SubmitInitialize.aifc

Filesize
199KB

MD5
1bd22c1747374b4fa5cb66e23d26a078

SHA1
d202b5520617cf8f84e7a0885e77b5d79831a06d

SHA256
77fbecee3813bbcba0bd2745fab54430a0a1489b129527a316a73d1ddd661ef8

SHA512
fdf0b72c7811c89dd978cd3774507eba45a66e0b7f737bdb955fab6d09e3e2755e24af96da0127a65cd0dca8664ee0197c4bc10eea0bdddbf489e30975b08e6a

Download Submit
C:\Users\Admin\Desktop\SwitchMeasure.bin

Filesize
230KB

MD5
e1838607370e73a294038eb08fda3894

SHA1
79af7e707c524296eab50f20a7193f6b94f263de

SHA256
43393378746aa19a776f60d549df9fed3c09cb062077530fbeb261f04d1af848

SHA512
24024120a3d9496cfc6f5345166efcdc57acb067d7536593e1d294e29c1534c71548410e300efa6bcbac75bbdae6dddc97a1192bf5a32c0eaeb682b1f7089b3f

Download Submit
C:\Users\Admin\Desktop\TestUndo.clr

Filesize
184KB

MD5
461b980e73afe827c4b87b646c7f26a0

SHA1
3fbbe01acf2795796e8c2b11be58dc9925592589

SHA256
ab69c9aae501e237ff9b99777021d5f56e5826a038aaa9d7011c5084363cb02a

SHA512
41a44c11256856d58c1f7445ab1c4936195cf7d1018c3f12ced97f7ccdcfcf35d00dc84e87fcfd163318844fa485c42f9c98400212e328b030004a91fd7c9ec3

Download Submit
C:\Users\Admin\Desktop\WriteStart.i64

Filesize
368KB

MD5
66d787a1222116e7ddf7c55833590af2

SHA1
63bccfebad9f596e559ebd169deea7ded53cf545

SHA256
fc5968ee322d9f6a1a1a1793413946649bf986a11fe2427c16b09bc24aeaf332

SHA512
a9b502bb12679215c79a5836c328776777b4f12d785662be079f35196ec8becea5513f7ae45fb1287ac39d3c18b0f5fc89d5071d5923ae209562e96e7d3c397a

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
5013932dc5a8e8c52638110277622783

SHA1
e65e91dae0ec64987490f29463eb1a9e94edfe1a

SHA256
e027940fecedb6aaadfc0358ce446729dac7d9eb296ed90320217c9d818bd281

SHA512
be64bc213f9e3095957a0b03e347145c0f038c7a33d1103e79d9a423268d3c3a9bf50d94db0cee9605dfa7af8d074e1f7728bdc853da7c5c92233a888dcc8aca

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
b000e5e73f3fa2cf95db4cdeafa2cf8e

SHA1
dd9294fd82637ca1500837bf656cceaa28ab39d6

SHA256
4b45db9e0db6e72ad26e4cc5bc54bf3701144124a71d552735421d749d54acef

SHA512
f162594541a03a5c3fe40100f3ff04170681d1ef2e0b453709af5b77206027df68727032340336f9072bcf719f1cdd8c2cd71aa9adaa64705c664b04eeb41e69

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
1391c043e54774437438c1b4903b2fb2

SHA1
900728322a26ae6748fa5b0e0de6bab199daa826

SHA256
febf9b28d5c365cd1289e467b5aaba791d69ab80a1c88148f883efaa6017afd1

SHA512
3c1d0df714ecb2a00dc34e919255f0b33efcc05a3fc9720368264c74dbd1935bfecc448858fa4cd98b71ae14d6d95e6041067cf9fa8c6f2ae11186adcde0b812

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
0bb4bff4a1e8d3a92c179c7e7f4980f1

SHA1
197688a749ac3cb72c67f8033ce560fdb44b3325

SHA256
126660695a9f0a35c5499321c2d87c0a7bcade6b62c7b820f21ca61924d8f92e

SHA512
7c1a3c7d26efc514908b16caeb162b580e2b9bc7545e5db95cdc7175bd111683b69dc28f862866b3ff6430421ba612535c0fa29ca8eacb6c5cf7b7517d41a244

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
27c55cf6092a94cdeed8d5a528df7093

SHA1
11eaf98f3c169cc00f04da63445a349c7ae69fd3

SHA256
61bc7a56d704dd851bd20fcfede124947dfc758e324b72c65885a5d605b3ff89

SHA512
a4386aa33c6810a1399a30576dd1951b5f4c7deaded86f67064a33d0c709cb356ac0501f27a1a1624f7817c0fc3dc82ca6a8a27fc5aa11b5ef367c1a18eb88f9

Download Submit