wannacry | bd236394e3a00363d54a3d1913bfac26fffab2b94086e171b500c9b210e6db95

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll
Size

5.0MB
MD5

72f92b256a78bcd62b59529aa3004398
SHA1

c376e6ae79998b7afe09c3898c91e0e818d255d4
SHA256

bd236394e3a00363d54a3d1913bfac26fffab2b94086e171b500c9b210e6db95
SHA512

92c5f03b07c33b20c9e2d45ba73d36e61d26d6a46c0798de575bb84b6abf09439c50b528b06695b2b5c6d562d0ff23e4688361c640f06e1331fc49c90251adc3
SSDEEP

98304:dWqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:dWqPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3322) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1232 mssecsvc.exe
2384 mssecsvc.exe
2660 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1232	mssecsvc.exe
2384	mssecsvc.exe
2660	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1044 wrote to memory of 2008	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	rundll32.exe
PID 1044 wrote to memory of 2008	1044	rundll32.exe	rundll32.exe
PID 2008 wrote to memory of 1232	2008	rundll32.exe	mssecsvc.exe
PID 2008 wrote to memory of 1232	2008	rundll32.exe	mssecsvc.exe
PID 2008 wrote to memory of 1232	2008	rundll32.exe	mssecsvc.exe
PID 2008 wrote to memory of 1232	2008	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2008

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1232

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2660

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
eb6af116d16be6353892c07b45a24d70

SHA1
8ffc55c0726f852c308049d7e2fa2aaa439381fc

SHA256
265559b912eab6b0048d1fdd9d5b236cbdd1bc3840987394e460fed09421920f

SHA512
422a77bb3df89606a0300afa04c2d58d97c45006eeea4e2e178a170c5ca6419773e7a9ddf51120c0ef9bb4ba9d8c30548efaabd563b68117c4dbf5ffc7bd4660

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit