wannacry | f3f54aa74f08e3296c2739abb0f8acfe23f3b23147e668a5df63af15f832a42b

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll
Size

5.0MB
MD5

70d5a64d5c2a642f64a80762e3334e2d
SHA1

f78269fb31a6ffce0fec200e59c546fc6113eae4
SHA256

f3f54aa74f08e3296c2739abb0f8acfe23f3b23147e668a5df63af15f832a42b
SHA512

65bf9a81e2189bb1c3067a6491ed1a28bfa035755ad87f5dc45b66ab21d38b49b4eb7e05cb3c0019944119b99f20a48b2c9158d5fee474adf75692a78fdfa706
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhn:d8qPoBhz1aRxcSUZk36SAEdh

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3072) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2684 mssecsvc.exe
2940 mssecsvc.exe
2676 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2684	mssecsvc.exe
2940	mssecsvc.exe
2676	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2256 wrote to memory of 2012	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 2012	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 2012	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 2012	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 2012	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 2012	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 2012	2256	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 2684	2012	rundll32.exe	mssecsvc.exe
PID 2012 wrote to memory of 2684	2012	rundll32.exe	mssecsvc.exe
PID 2012 wrote to memory of 2684	2012	rundll32.exe	mssecsvc.exe
PID 2012 wrote to memory of 2684	2012	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2684

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2676

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5617da4c2911a0c6768d790f0e0c88a0

SHA1
ca7614c80676b4b5e7c224e3c3f5b87c4aa3454f

SHA256
e15997d60c507a0f996572c2e5433619f38d829a66cd7ff24a0f53431617c359

SHA512
62cbb5af46d4e41fea974af54d6546d9ff13af1a31c14fb83fa2d9d0a6a7cf7ed6a05bc775a0ce83ae915bf9a435fd23599ad0ba33ba96ef863a2fc47e5cf9dd

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b91800f044097d66a2956440ade809e3

SHA1
163381e41d1665d3325f0081b0feb83f399a117f

SHA256
324eaf7b3ecae86cfe0f4c27783e777714512b8b2a017314089bf335ecad7fe9

SHA512
a191ef5d5493949dcf649e22629d748f2059c1a5d95013ec1bbf9ad835e61e4e9d0cd7ad5df6e8e33c417e412256cb796c2576a5935860dcdc67d2dbb91177a4

Download Submit