wannacry | 896f063efc74968f6604452f1ecc3f468866641860b15f89c013535a625ab501

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f36ba41ce8bdc804b50bf43b36547bd_JaffaCakes118.dll
Size

5.0MB
MD5

4f36ba41ce8bdc804b50bf43b36547bd
SHA1

35e90bcc8648b303a9f58568d067a684b020e018
SHA256

896f063efc74968f6604452f1ecc3f468866641860b15f89c013535a625ab501
SHA512

0b853fd08c19be2d6ab7a75e121b3d27747e76ef7dcd168b78ec8c9572c67287d32143839a095ae05afaa2c6dde0066d61dadf081e3a15e301762d7766156933
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAvxWa9P593R8yAVp2H:d8qPe1Cxcxk3ZAYadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3242) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2028 mssecsvc.exe
2756 mssecsvc.exe
2856 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2028	mssecsvc.exe
2756	mssecsvc.exe
2856	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1132 wrote to memory of 2012	1132	rundll32.exe	rundll32.exe
PID 1132 wrote to memory of 2012	1132	rundll32.exe	rundll32.exe
PID 1132 wrote to memory of 2012	1132	rundll32.exe	rundll32.exe
PID 1132 wrote to memory of 2012	1132	rundll32.exe	rundll32.exe
PID 1132 wrote to memory of 2012	1132	rundll32.exe	rundll32.exe
PID 1132 wrote to memory of 2012	1132	rundll32.exe	rundll32.exe
PID 1132 wrote to memory of 2012	1132	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 2028	2012	rundll32.exe	mssecsvc.exe
PID 2012 wrote to memory of 2028	2012	rundll32.exe	mssecsvc.exe
PID 2012 wrote to memory of 2028	2012	rundll32.exe	mssecsvc.exe
PID 2012 wrote to memory of 2028	2012	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f36ba41ce8bdc804b50bf43b36547bd_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4f36ba41ce8bdc804b50bf43b36547bd_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2856

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
e6e04953a8f2e6d5f4c483116ad23011

SHA1
7525701c9ed4d7a0b8b3df071647edef23a259ba

SHA256
436af9abe4153448a945378f75b12220ac4364d1b231c823067deb7211e29c9c

SHA512
a405696a218e3659277c1d12f50c0bce8ed0633c22cc260bd6c27a6a09db1d021f0ce6776ef7f7a2d1002dc85d3e1dbc025025c26d134b667be2d9b325705a53

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
169f3f49036342bac8b45faccdcb581d

SHA1
10d11eb2d314ad3fbe44218af56ae2d346e82c65

SHA256
2ac0743066a9808efeea054c8801023ca545735bb380ee2eb6526cee8755815d

SHA512
80d0b353e1790fe913ff65b805ab722625dcbe05da40bea21334a31280bcef6550758845139dc2ef7df358a859dd95e025cdef6c3e97374904f9375c383f732f

Download Submit