wannacry | 9f7e1e530d7c11f7e9083b08cc6956e2d2d36e5fda338a0b11d339e50357729a

Resubmissions

29-09-2024 07:36

240929-je77jsxfmc 10

29-09-2024 05:39

240929-gcnc9avbjb 10

Analysis

max time kernel
600s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fde5dd4d222179bb32d21414e5aeca4a_JaffaCakes118.dll
Size

5.0MB
MD5

fde5dd4d222179bb32d21414e5aeca4a
SHA1

9318006aeb286d8ed4d069be7e7a947ee38cea07
SHA256

9f7e1e530d7c11f7e9083b08cc6956e2d2d36e5fda338a0b11d339e50357729a
SHA512

0edc23d89871c6df94f52eac68cc8fabbb4d2a6f31f5a2f693b9e1ea2f59d7ea256a94fa22c2f4841fbb2af43cf9a02e93d4b8ec994022e5b6d95fd8bc974d33
SSDEEP

12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+Dojm:SbLgddQhfdmMSirYbcMNgef03

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (13149) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4936	mssecsvc.exe
4880	mssecsvc.exe
3376	tasksche.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2844	1168	rundll32.exe	82
PID 1168 wrote to memory of 2844	1168	rundll32.exe	82
PID 1168 wrote to memory of 2844	1168	rundll32.exe	82
PID 2844 wrote to memory of 4936	2844	rundll32.exe	83
PID 2844 wrote to memory of 4936	2844	rundll32.exe	83
PID 2844 wrote to memory of 4936	2844	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fde5dd4d222179bb32d21414e5aeca4a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fde5dd4d222179bb32d21414e5aeca4a_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4936
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3376

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
0d2119a2fd896b8e80eb75ecfd13fdd2

SHA1
49e772784574d58d25dfd70454f22bc910ebf346

SHA256
f01df2f71b0bc0b8fdfe87c68c51069f8837d02cff2ca91d9f1bfdf3911b0a48

SHA512
5e78dcef0e6cd97b32aa13e388bc8d2359269527ce5f728e61b09da24060e2dc6cb25edf4183367df526edd4e0f57aeb3e41b3a797af4c158539992ea08d58c2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a594cfc8b003521a98173209d7f1aead

SHA1
7a71b33989a3d17d2b63d7e5ce9ecfc9ab977a88

SHA256
6e5d80eb1a571426987b65ce78c6229c557dc8ae28ac274167c8628efc96c931

SHA512
531b9766570de42fea049ef31f08aa25b7ee60d754e13b2d569471d6e5403fe5f5731bfb4897e8cef62542367e65d6d3f42aa3b745802037391c1cc0056bb873

Download Submit