wannacry | 66ddd0edb16bfb041ccfa78e41af074bdf2f9b23eda55e45b54d29eabb1200d4

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22fd61e52893c9aec35545c81067f2a6_JaffaCakes118.dll
Size

5.0MB
MD5

22fd61e52893c9aec35545c81067f2a6
SHA1

d465606dc17e7daa070f79d5ceb27b288a5698d7
SHA256

66ddd0edb16bfb041ccfa78e41af074bdf2f9b23eda55e45b54d29eabb1200d4
SHA512

aafc64c98775a9f47dfccb0fe06ee7e4f5d12ec2fac4aef6a0f0b6c1250f9906e33c06badc8f8f5bca92e4fc0a8933c80bd673d2dfc2f96e0bb938720ac1c8aa
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvntuwP:d8qPoBhz1aRxcSUDk36SAEdhvnz

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3237) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3020 mssecsvc.exe
2892 mssecsvc.exe
1928 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
3020	mssecsvc.exe
2892	mssecsvc.exe
1928	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2944 wrote to memory of 2964	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 2964	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 2964	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 2964	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 2964	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 2964	2944	rundll32.exe	rundll32.exe
PID 2944 wrote to memory of 2964	2944	rundll32.exe	rundll32.exe
PID 2964 wrote to memory of 3020	2964	rundll32.exe	mssecsvc.exe
PID 2964 wrote to memory of 3020	2964	rundll32.exe	mssecsvc.exe
PID 2964 wrote to memory of 3020	2964	rundll32.exe	mssecsvc.exe
PID 2964 wrote to memory of 3020	2964	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22fd61e52893c9aec35545c81067f2a6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22fd61e52893c9aec35545c81067f2a6_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2964

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3020

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1928

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
fb15c8ad14be000ec5693f13cd9ebc0b

SHA1
8df067c1fed20c8b355c41e722a3ef2907dcb296

SHA256
f4b232df1dd733bbef43ef2b3ddd881d12b0c4a888d343116c0bbc8e41f4ef9a

SHA512
e3d9825bcafb35850b6b4d6db5a874e5f0c4fa1e39bfb39f5b9fc11f9696723d65f80e8914f0739f5bca6e33ef16b8e03e91ad096680b400dbce135459cad8cd

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
72bb30f1522073dc153d42422d827dd3

SHA1
2746fde6c01ab9c36fc19619bca05aa024f55d5c

SHA256
33575a9d9dbb3d5024ec7f30ffaa0a50e8c5f318acba559bbc4a7324e4dbfd2b

SHA512
1b96f1092dae8c15673b3a322aa41048b646e2a96c27712d228df3728711d411621e46ba12a459e8a343c0401cedb59a2ce457118650786eaf11b6f7c0f07591

Download Submit