wannacry | 06b170c03a56757ebce660e26415507029b58282cfd9291b73961ecfcedea3e8

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

832698afef735df491267821aef061d7_JaffaCakes118.dll
Size

5.0MB
MD5

832698afef735df491267821aef061d7
SHA1

1f5a1f597e81341a6851758992485933e9e66c83
SHA256

06b170c03a56757ebce660e26415507029b58282cfd9291b73961ecfcedea3e8
SHA512

c49b132d23d47e9d5212d2fc31394b2dc518e73b75c97da5ef38dd4aab4d0b5d93250c9f7a8faef5890b01f614dbf0e9ee6e1ebd2de99a5f45160fd05c861408
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9AT3R8yAVp2H:d8qPe1Cxcxk3ZAEUa6R8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2212 mssecsvc.exe
1964 mssecsvc.exe
2608 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2212	mssecsvc.exe
1964	mssecsvc.exe
2608	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2328 wrote to memory of 2420	2328	rundll32.exe	rundll32.exe
PID 2328 wrote to memory of 2420	2328	rundll32.exe	rundll32.exe
PID 2328 wrote to memory of 2420	2328	rundll32.exe	rundll32.exe
PID 2328 wrote to memory of 2420	2328	rundll32.exe	rundll32.exe
PID 2328 wrote to memory of 2420	2328	rundll32.exe	rundll32.exe
PID 2328 wrote to memory of 2420	2328	rundll32.exe	rundll32.exe
PID 2328 wrote to memory of 2420	2328	rundll32.exe	rundll32.exe
PID 2420 wrote to memory of 2212	2420	rundll32.exe	mssecsvc.exe
PID 2420 wrote to memory of 2212	2420	rundll32.exe	mssecsvc.exe
PID 2420 wrote to memory of 2212	2420	rundll32.exe	mssecsvc.exe
PID 2420 wrote to memory of 2212	2420	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\832698afef735df491267821aef061d7_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\832698afef735df491267821aef061d7_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2420

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2212

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2608

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
be5318c1fcfc50c199ae54239a51dc05

SHA1
6db81d8749517cdfe28c29919c4c0f188e08d0eb

SHA256
943222ee219668db517c449fed6959c1fcbaae84861a5606387599cb9647d5ec

SHA512
2cb16c53366dee7c40085f7b3633b58c97dbf890d75af56d4ff6e4f1b1f70ef762a52b7edec9f9cd14f2d97efc80a3b72ebbee8ab844c79be992cccbb6b713fe

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
5612a496dd2a38bcb41bdf2948354fe3

SHA1
6cd72e7cb9424e2b2492b4d39069288ee17fa9f8

SHA256
858e56839a7ef43fbd0a878a4959f6c41781d84866f853a49e4cda89b4073097

SHA512
ccc72f01518423f3fec76131a7fb97cd4dd310e7de8f654d8dec89534b66cba19f5ef4ac100223eca063fc524f437f2324518ce002955ca6e50dfc2a717325b2

Download Submit