wannacry | 0666b7b6f571a154ac43341c86bb48c80bda2649368c01d183a660d5e841d0f1

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

777295af47127697b18eb864656e5dd0_JaffaCakes118.dll
Size

5.0MB
MD5

777295af47127697b18eb864656e5dd0
SHA1

c5103eb13aefab7274962714a1fa8fcf7d0ee480
SHA256

0666b7b6f571a154ac43341c86bb48c80bda2649368c01d183a660d5e841d0f1
SHA512

0628236b1e839aa4038f405ffb387e0cb68b7a8a796777299fbd5ee8179509f21987d0ba7d80a8fc7ee44e375e595087be2540e76e5a9c5a0f78f271ad1fd573
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yA:d8qPe1Cxcxk3ZAEUadzR8y

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3211) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2520 mssecsvc.exe
836 mssecsvc.exe
2732 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2520	mssecsvc.exe
836	mssecsvc.exe
2732	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2808 wrote to memory of 3048	2808	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 3048	2808	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 3048	2808	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 3048	2808	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 3048	2808	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 3048	2808	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 3048	2808	rundll32.exe	rundll32.exe
PID 3048 wrote to memory of 2520	3048	rundll32.exe	mssecsvc.exe
PID 3048 wrote to memory of 2520	3048	rundll32.exe	mssecsvc.exe
PID 3048 wrote to memory of 2520	3048	rundll32.exe	mssecsvc.exe
PID 3048 wrote to memory of 2520	3048	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\777295af47127697b18eb864656e5dd0_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\777295af47127697b18eb864656e5dd0_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3048

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2520

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2732

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0e192322d75d1d2809fad5930425b7bf

SHA1
ec45f0c67dc96b607e05c33db23556b7e943f50f

SHA256
ab1411761ecbdfb7be678a5bbd8078775ec1e6896cd3de68f691a0f97aa717a1

SHA512
fbe3c54037d3e71fde4023f2a63b03b9a253d7b53555a766c50243bf8803388d9c0bbe8ebf23adf55523dbdca4c7acac35a6c461765bf3a21463361cb355b46f

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
967b2c05787f5353452c45b7cb9f2f9c

SHA1
29dd704d736249a471df7da340c84a0180e55537

SHA256
e530782aff9d469d892a0687aec278a8ac0ffedb46869e0aae5e9184c0c83923

SHA512
090e832fe0954a7f56788a640882b8cb8b34786f02d3f1d4e48f73d3c7c51b87df973b804ef7bf22a0d1d853ef4b1f8d49741161a7a7cc4d7032db6446beacc3

Download Submit