wannacry | 2e32e311c5bbed5be20077b6ae1fa61bc5059018f31eca3bcd8553676ead6978

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54abfdd9a04adff0c2fdffabaaa4b956_JaffaCakes118.dll
Size

5.0MB
MD5

54abfdd9a04adff0c2fdffabaaa4b956
SHA1

3c143da1fbb2e8420c593c7f66b9663f6f4df175
SHA256

2e32e311c5bbed5be20077b6ae1fa61bc5059018f31eca3bcd8553676ead6978
SHA512

08f73706b083685d8512e1dcf19676a02ca77954b6210672e08da5cd9e18220872fb90eb3fa3a7c944ea163e2d823d33f051704df86f7689f70ff278b26fe695
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9P:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3172) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3004 mssecsvc.exe
2540 mssecsvc.exe
2552 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
3004	mssecsvc.exe
2540	mssecsvc.exe
2552	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1500 wrote to memory of 2888	1500	rundll32.exe	rundll32.exe
PID 1500 wrote to memory of 2888	1500	rundll32.exe	rundll32.exe
PID 1500 wrote to memory of 2888	1500	rundll32.exe	rundll32.exe
PID 1500 wrote to memory of 2888	1500	rundll32.exe	rundll32.exe
PID 1500 wrote to memory of 2888	1500	rundll32.exe	rundll32.exe
PID 1500 wrote to memory of 2888	1500	rundll32.exe	rundll32.exe
PID 1500 wrote to memory of 2888	1500	rundll32.exe	rundll32.exe
PID 2888 wrote to memory of 3004	2888	rundll32.exe	mssecsvc.exe
PID 2888 wrote to memory of 3004	2888	rundll32.exe	mssecsvc.exe
PID 2888 wrote to memory of 3004	2888	rundll32.exe	mssecsvc.exe
PID 2888 wrote to memory of 3004	2888	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\54abfdd9a04adff0c2fdffabaaa4b956_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\54abfdd9a04adff0c2fdffabaaa4b956_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2888

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3004

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2552

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
798d5ad296ae696555dfc0abb0cd1707

SHA1
c503fb426e4cd48803d5ad4f1a04fa1f6cd9e636

SHA256
1fd7013c515832aefb1110e237eb1048aca541f7008086ba915a4d1e95011497

SHA512
58fd36971df50a8b6f8297b456c9618774926aa31a06a701de0575d3756ee51e65ae8f4401b02133e309c2caa686e9c8cd354e2fbd15278151ef470e43fe422d

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3f95e01a2a689b9a4bd17a115540a5d7

SHA1
c057ac5632916d49b3deeedf08d4e983e3871b9a

SHA256
f335941ff4e55294337104ce908cc8b1e1fac6381eddcf5a6accb7fd0d3966b1

SHA512
f666db04637f82b5490e9dc71d17d9cfb5c4f32352b02500a9481dae0d93efd782f22267e56bf3514f41f0fab9a23be6b244e3cc0aab7d02f52c753bb1c4276f

Download Submit