wannacry | 0aa2c452f9bcf294c06022dfb58c6a524b77e97deb89b1e2bc7eba1cc7af357a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

223d7dbf628db2fc3ab829db72f5ea43_JaffaCakes118.dll
Size

5.0MB
MD5

223d7dbf628db2fc3ab829db72f5ea43
SHA1

086dd22cf8dba48e49384f2d5f62a8a19651cbb2
SHA256

0aa2c452f9bcf294c06022dfb58c6a524b77e97deb89b1e2bc7eba1cc7af357a
SHA512

af8a44d512156296089f95d329e45e1ba50d9d52c970d69dcaa667c433593727910b1c36f46c850f0820a4e9885c63bb9a4adf31af8672f7316ea3df5b4080cc
SSDEEP

98304:+8qPoBhz1aRxcSUDk36SAEdhvxWa9D593R8yAVp2H:+8qPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3153) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1952 mssecsvc.exe
2484 mssecsvc.exe
2516 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1952	mssecsvc.exe
2484	mssecsvc.exe
2516	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2136 wrote to memory of 2124	2136	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 2124	2136	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 2124	2136	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 2124	2136	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 2124	2136	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 2124	2136	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 2124	2136	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 1952	2124	rundll32.exe	mssecsvc.exe
PID 2124 wrote to memory of 1952	2124	rundll32.exe	mssecsvc.exe
PID 2124 wrote to memory of 1952	2124	rundll32.exe	mssecsvc.exe
PID 2124 wrote to memory of 1952	2124	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\223d7dbf628db2fc3ab829db72f5ea43_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\223d7dbf628db2fc3ab829db72f5ea43_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2124

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2516

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
e692b1e8267d94e8ff5d0d1e3e50dcc6

SHA1
d74391ffefd682a035df83e6cf35fcbcea3251bc

SHA256
cad5ef851c6cae5e641981e03a42864522f39b1fe5b55ac0963e6e5ee4e00595

SHA512
2ea4c1355970cd8ee6b655c10276c15b406702f80d9ce46a96dd3df8d629947e39ca8570ca9d849f65eaee9fe45f5eb04bd21f988cfb517500ff7e0f9e486f4c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9c03498aff7cbc27c20821569163c537

SHA1
0aef7213966dd19090e61097b47194fe168a8422

SHA256
5cd6bcb86ee8bd40af3bfdf44bcb1b90caaa4a9656bc8d0cd6615cbc3c0b24bc

SHA512
b716e63bb3990cd49ca8891df841ea82dd3c193a58f4f6e1dceed5c5912b4e9e26d910dfb9c1907002f72d11da681f2170e31c100cd0ee3e7ba0e46a11b417a1

Download Submit