wannacry | 207311091a37e677abb33085d8c1f2058a87b9b62c2a8f0559a170c8e3cabd67

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff8cca22c4705dd29bc58fa036fb992c_JaffaCakes118.dll
Size

5.0MB
MD5

ff8cca22c4705dd29bc58fa036fb992c
SHA1

bfbb78abb21d20d48d6612287f5d7aeccdf3bce2
SHA256

207311091a37e677abb33085d8c1f2058a87b9b62c2a8f0559a170c8e3cabd67
SHA512

a101647f904f196468c23b216fc80c9b859b09c6e2927f6883eb470e3330689179b599b7c9a2e3201d70f988f52b554e03fe4977befdda7cced4ec08f826d015
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAmxWa9P5qAVp2B:TDqPe1Cxcxk3ZA5adYc4B

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3209) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
4560	mssecsvc.exe
4848	mssecsvc.exe
1852	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4612	2700	rundll32.exe	84
PID 2700 wrote to memory of 4612	2700	rundll32.exe	84
PID 2700 wrote to memory of 4612	2700	rundll32.exe	84
PID 4612 wrote to memory of 4560	4612	rundll32.exe	85
PID 4612 wrote to memory of 4560	4612	rundll32.exe	85
PID 4612 wrote to memory of 4560	4612	rundll32.exe	85

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff8cca22c4705dd29bc58fa036fb992c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff8cca22c4705dd29bc58fa036fb992c_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4560
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1852

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
71a5ae65fb56e95cc0eddb92ffa8685a

SHA1
5edc527213f33b8c7a064f7f677a17ce05f914eb

SHA256
8ea8d1f743eb958af70a9e3c6d1127995c60af96abb8a0654647631f0fbfe7b6

SHA512
8a36f7b50c0022f6a3d21a76aef53b59ed8d658dd1b6493e8f89ca04d2e1de9d7c11ad0e33d2d2a508db0cec1727875f748f1cd55081e4739a6a10f12a395201

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
da23d9da01ad8ee0321c2139e4b20d0e

SHA1
cbed0c81bdbf0afe5ec6a657a11e1a08b82918f9

SHA256
ca4e44dda3249e9fea7153a46ca34dc6dfa0f9d6b28625487cd3df94b69df016

SHA512
ca41caae4fba961aa30f2d26f9e6dd775e9c79c21e0b911e27891afbb26203a5e77109ceb3b5206f4633c146f70403c1fbae3b19b7f68ecb6f35b90059c9a7a3

Download Submit