wannacry | 9f921c2792d619330119c81978aa87c3c3da127bbb8d5b8a48d71b3aa1a2af7a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50c78f65284324b6fc52a393837f9593_JaffaCakes118.dll
Size

5.0MB
MD5

50c78f65284324b6fc52a393837f9593
SHA1

b8a49a66ecd755063c9eeaf26090ef5dec956b21
SHA256

9f921c2792d619330119c81978aa87c3c3da127bbb8d5b8a48d71b3aa1a2af7a
SHA512

f26bf5b723889a24a29216c1f411cba2f6f456342c10d1afd5106d3e94e57e7ecf31a71a63dcee338bf9fa381bb4879f30e0768bfc9781490b0c64788c1916ea
SSDEEP

49152:SnjQqMSPbcBVQej/1INRx+TSqTdX1HkQ:+8qPoBhz1aRxcSUDk

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3335) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1932 mssecsvc.exe
2392 mssecsvc.exe
2280 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1932	mssecsvc.exe
2392	mssecsvc.exe
2280	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2116 wrote to memory of 2228	2116	rundll32.exe	rundll32.exe
PID 2116 wrote to memory of 2228	2116	rundll32.exe	rundll32.exe
PID 2116 wrote to memory of 2228	2116	rundll32.exe	rundll32.exe
PID 2116 wrote to memory of 2228	2116	rundll32.exe	rundll32.exe
PID 2116 wrote to memory of 2228	2116	rundll32.exe	rundll32.exe
PID 2116 wrote to memory of 2228	2116	rundll32.exe	rundll32.exe
PID 2116 wrote to memory of 2228	2116	rundll32.exe	rundll32.exe
PID 2228 wrote to memory of 1932	2228	rundll32.exe	mssecsvc.exe
PID 2228 wrote to memory of 1932	2228	rundll32.exe	mssecsvc.exe
PID 2228 wrote to memory of 1932	2228	rundll32.exe	mssecsvc.exe
PID 2228 wrote to memory of 1932	2228	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\50c78f65284324b6fc52a393837f9593_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\50c78f65284324b6fc52a393837f9593_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2228

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1932

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2280

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d751c7850b95241123e148acf0001478

SHA1
c4a223fb431220e6528a81d553febf19ab155d14

SHA256
287ec6857a5923061ce67abd17130523cae0ad4d1605ec8c1fdaf98a1912725b

SHA512
ea5a7b5bc16d6843579b92239f4e7f742592288f0999f868671e682d44d53ff9532ba5d4ccdff9f32c8eb294f5d8e00a20ae0d776781415b0f785ddc3f4cc4b1

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
eebbd01b7d0df40681662225b1824de3

SHA1
4b92e24040f56ef9992381f6c8c03d5d464af8a1

SHA256
fbe6cd93e1e6bda599c8d0f12a902384e5b170a1f2332aefccb66974b79b75ee

SHA512
af2a5165c5a2ff99bf4f811bf9d3d57d610a23cd43c668ce7e236fd177ceca7ad6050a1af1a0bb2f2bf222f73bbab8bc10559219e09da46f61919e7430fb798d

Download Submit