wannacry | 22ddd844eb93a423794a7899e15015b60871def49f9973f06c37c68a639dd0ca

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll
Size

5.0MB
MD5

6a4efb8c17327b22a4eeb67080917079
SHA1

0fd519b3da2402d53075f8a2dd4b7d56328c70a9
SHA256

22ddd844eb93a423794a7899e15015b60871def49f9973f06c37c68a639dd0ca
SHA512

8b39bcb332c9605545d6656eca8b7e9660db276ada00cf8eab1289f9ee21da4631c5ac1c3d720854745951a206a7396a4d997132abe4d7d3feb5a5f8275c3d9a
SSDEEP

24576:JbLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPVXmi:JnjQqMSPbcBVQej/1INRx+TSqTdX1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2212 mssecsvc.exe
2228 mssecsvc.exe
844 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2212	mssecsvc.exe
2228	mssecsvc.exe
844	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1764 wrote to memory of 2040	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 2040	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 2040	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 2040	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 2040	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 2040	1764	rundll32.exe	rundll32.exe
PID 1764 wrote to memory of 2040	1764	rundll32.exe	rundll32.exe
PID 2040 wrote to memory of 2212	2040	rundll32.exe	mssecsvc.exe
PID 2040 wrote to memory of 2212	2040	rundll32.exe	mssecsvc.exe
PID 2040 wrote to memory of 2212	2040	rundll32.exe	mssecsvc.exe
PID 2040 wrote to memory of 2212	2040	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2212

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:844

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
17977ba1ca086ccd84aada0e7bb51286

SHA1
af5410554ea45be32f144bb653492e568f74a35b

SHA256
447b5ebea929be23d5cd952fedf51fd0f9ef7df6f65d411723fc4110a66b955b

SHA512
3f94168ad4dce69f6ef25ef6c93fd898048b17c8c3afed7353e1430d39ba43fad52ddddb172a743897586d51fcda29d98ab94ebfbc29e98b191a79ab748ae948

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7a197ee3214806f5e77b7f3a10509a4b

SHA1
df87b86ecb3fb97f49500d017ac887ca35e4d169

SHA256
2225c3d46c50b02422c57e516239000eaa2224115067693aea57165a59c6d5e9

SHA512
b9ae9ab9d49884ff9d7b59ffd63deee132f9340d6193c16df96913afbeefe170776e8b6a1c62fece17b32f95210903f299da83a446bfaea2b0f22b6330c63a88

Download Submit