wannacry | 43501ea65f62d22f6c1b1fd10ea04feefb513f18d05217e5090f001f4180fa9d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

660e3d0835ba930aac57a0590eb0d5c5_JaffaCakes118.dll
Size

5.0MB
MD5

660e3d0835ba930aac57a0590eb0d5c5
SHA1

d0a496937233b8fe6bb5b43c1878ec2f3c1049b8
SHA256

43501ea65f62d22f6c1b1fd10ea04feefb513f18d05217e5090f001f4180fa9d
SHA512

752a4dee87dc749047c53c8a035444e7a88462a0951cf49b6c018b5a3790d955e870074898ddfeb45c205192238d1d54d01bdeee34144f11f409b5eef987368f
SSDEEP

12288:ywbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+4F8SNTJYsVr7D:JbLgdeQhfdmMSirYbcMNgefuF8S9r7D

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3346) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2588 mssecsvc.exe
2504 mssecsvc.exe
2684 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2588	mssecsvc.exe
2504	mssecsvc.exe
2684	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 2172 wrote to memory of 1708	2172	rundll32.exe	rundll32.exe
PID 1708 wrote to memory of 2588	1708	rundll32.exe	mssecsvc.exe
PID 1708 wrote to memory of 2588	1708	rundll32.exe	mssecsvc.exe
PID 1708 wrote to memory of 2588	1708	rundll32.exe	mssecsvc.exe
PID 1708 wrote to memory of 2588	1708	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\660e3d0835ba930aac57a0590eb0d5c5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\660e3d0835ba930aac57a0590eb0d5c5_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2588

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2684

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0a1ffc82898ef68b541b9d0ce5dff767

SHA1
0d0ec380dfeadaeb64cfdcc424021506b4f0fee0

SHA256
5578bfd8148ce79ade1dc8844fe9e80439610d155b9373ab4dae6dab56a7da1a

SHA512
15c9da4eb702416a6d73f8e51191cf28acde36fec03afb5814231a5cf440b841f8fe14884881d8c311a30a3c0a37985304d51be57f02acfe116f49aa454a5d8b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7e44eed7d5567d9be8d343434d2d748a

SHA1
087d40455e951500bb184c25dff8d2d1f8426a6c

SHA256
e78c458b296087d851e08c862be60c345124259fed8885aad55462472cdad1ae

SHA512
7fdfc423dae73b4cd0698e9692001e2ba15196d4efc815f13ddefbfebe86661e8d5721165feff61e3cbfd06d2d5254db5b5586109444c46eaac61691fb10211b

Download Submit