wannacry | 83c499d4faeaf878a311c1f68ce8795a86d46f9bfc1599010394aa3106daba60

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

599ba047a5f78a122a99547862b692f8_JaffaCakes118.dll
Size

5.0MB
MD5

599ba047a5f78a122a99547862b692f8
SHA1

5131f90bd2a8831034da0c8ae81812f629c2d51e
SHA256

83c499d4faeaf878a311c1f68ce8795a86d46f9bfc1599010394aa3106daba60
SHA512

ff6ba51959950b510ad3805680cda5bcc2676454f73ee2bf1ccad41610909365e4aedb15bb9681c602bdbb051d4196a1d859182cb6c3ad24b75756b043d7b57b
SSDEEP

98304:d8qPoZ1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qPU1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3295) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1664 mssecsvc.exe
2476 mssecsvc.exe
2516 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1664	mssecsvc.exe
2476	mssecsvc.exe
2516	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1728 wrote to memory of 1884	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1884	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1884	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1884	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1884	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1884	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 1884	1728	rundll32.exe	rundll32.exe
PID 1884 wrote to memory of 1664	1884	rundll32.exe	mssecsvc.exe
PID 1884 wrote to memory of 1664	1884	rundll32.exe	mssecsvc.exe
PID 1884 wrote to memory of 1664	1884	rundll32.exe	mssecsvc.exe
PID 1884 wrote to memory of 1664	1884	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\599ba047a5f78a122a99547862b692f8_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\599ba047a5f78a122a99547862b692f8_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1884

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1664

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2516

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
f5efcb9578e09bd52832cd8f54c48412

SHA1
0d9f160b17f83003017df029ac882d9063815b0a

SHA256
e3a2eb6e22f140e0643c9de6a2a9b6647326cd8209e4e1fa170a96b129399c8d

SHA512
92b3e8127c16e59a3589aa3795e0dd09a1fc803be8138f75b679eb9b8085b81ce8e25908f279b17237ebcc9f87c0db615a2dbb38cd42c01115cd0cc1a7bbf5d6

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
5447d9c6b5aaf314fb733eefe6213c1b

SHA1
0df4c25989b33da04b52de59a39d90ea7940e790

SHA256
5cf0ed45cf93cf6112099e3eb6b3b5266a1b180df9904ae18f9699430984f289

SHA512
646463f50172d247f4f70901e864b36728616997f4dd478a861032e32b45b2335eaad02980c3e61987ad5b29a7d26bde286b3567efe748845a1f1e38768df940

Download Submit