wannacry | bd5b6ffd91e3310ee4d0a22c00361c8dc3057995ca46ebeff8b82a673646323f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
Size

3.6MB
MD5

ac537ffb911bf00bcbbe08ef0d197618
SHA1

8e8be8184ad024cb6c5f61d7d69bf6a4b74eb0be
SHA256

bd5b6ffd91e3310ee4d0a22c00361c8dc3057995ca46ebeff8b82a673646323f
SHA512

72486360e50aed13fb995848b90af5593e4fcc0ba09cdf40f28d8dc965d925b05d1d19adab23173a2affe30b75450dab3fd689a0c34d8dd738040c7764147e6f
SSDEEP

98304:ZdPoBL1aRxcSUDk36SAEdhvxWa9P593R8:ZdPg1Cxcxk3ZAEUadzR8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3282) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2160 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2160	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe

description ioc process

File created C:\WINDOWS\tasksche.exe ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2688 2160 WerFault.exe tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe

pid	pid_target	process	target process
2688	2160	WerFault.exe	tasksche.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exetasksche.exe

description	pid	process	target process
PID 1700 wrote to memory of 2160	1700	ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe	tasksche.exe
PID 1700 wrote to memory of 2160	1700	ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe	tasksche.exe
PID 1700 wrote to memory of 2160	1700	ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe	tasksche.exe
PID 1700 wrote to memory of 2160	1700	ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe	tasksche.exe
PID 2160 wrote to memory of 2688	2160	tasksche.exe	WerFault.exe
PID 2160 wrote to memory of 2688	2160	tasksche.exe	WerFault.exe
PID 2160 wrote to memory of 2688	2160	tasksche.exe	WerFault.exe
PID 2160 wrote to memory of 2688	2160	tasksche.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1700

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 36
3⤵
- Program crash
PID:2688

C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a8c73a47be650986b82913698cae202e

SHA1
2e54c7dc560751ea9eee2a96295f03992e7d7c65

SHA256
6b8ac7b7c7bc93edf4ed6a96bdcdbb372b1e873c16be0f8df2bf2eb8009210a4

SHA512
9290e7220bedefaaf6f135f7f2bd402802c3975d357acd94c3697ed2b96dc4eeeb30d391630aa4d541ea2eed13a027fc28f2e3dfba201c8338024d4e5f867d05

Download Submit