wannacry | 610196bdddf7c8e3c2a05e2c9894b84c1c20cbb2126bc9b7c930e05a6ac839f8

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e3f26dedf4198bae015c585b1c02d2e_JaffaCakes118.dll
Size

5.0MB
MD5

3e3f26dedf4198bae015c585b1c02d2e
SHA1

9f18ffe559436ad5436a576ceb29a6f7bc078312
SHA256

610196bdddf7c8e3c2a05e2c9894b84c1c20cbb2126bc9b7c930e05a6ac839f8
SHA512

01b5310e264e0c54f857929879c043c238e875c909858ee937c233f0ec239cbb43f790573126b8caf51788faf5d99521c84428c4809f849b0f18d5dc7fc94761
SSDEEP

98304:d8qPoBhMcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qPFcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3181) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2860 mssecsvc.exe
2680 mssecsvc.exe
2544 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2860	mssecsvc.exe
2680	mssecsvc.exe
2544	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2268 wrote to memory of 2848	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2848	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2848	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2848	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2848	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2848	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 2848	2268	rundll32.exe	rundll32.exe
PID 2848 wrote to memory of 2860	2848	rundll32.exe	mssecsvc.exe
PID 2848 wrote to memory of 2860	2848	rundll32.exe	mssecsvc.exe
PID 2848 wrote to memory of 2860	2848	rundll32.exe	mssecsvc.exe
PID 2848 wrote to memory of 2860	2848	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e3f26dedf4198bae015c585b1c02d2e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e3f26dedf4198bae015c585b1c02d2e_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2848

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2860

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2544

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
14781bc48b690258f2913807d986e703

SHA1
f0316cb8d00da6c3e87ab1d433289548328a7e48

SHA256
acd476151d917bbe01bed15605156420c89cc951ca8e74620c552f627b97e349

SHA512
31ddc468dee81fdaf661321aa14a8c90f66407fc6835b3b90fe5948fb42ea0031c186a958a2fb4c978a14d6fb274161fc0ecaccdf170a7f9f1d88a4cde6ad738

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
6b7a6acce1ea51fabbc8d73dbfc942ec

SHA1
3d162e9a395718ba30925b2873638da88d74a2fb

SHA256
d3a9c84fbd4ce82d31979a75d36d4da004a6a8738c85f91b82cd7ffce403f838

SHA512
50c3895371238a9b610fac4f946464caa984edc4bd4a714669cfb80dea2a0c6bd0a74bb293bb85d28fae9724f2b50ff79b87e230d0d2585ff790ea12317a1657

Download Submit