wannacry | e5f895eabdad888f1e69812e24686d352803ff994dac56067197b58b1ff16221

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4cde1e1ed2abbee0b5abc2da6b41bb6_JaffaCakes118.dll
Size

5.0MB
MD5

b4cde1e1ed2abbee0b5abc2da6b41bb6
SHA1

7fbe0c404a6c960baf647ed7d8f628012b29c4c7
SHA256

e5f895eabdad888f1e69812e24686d352803ff994dac56067197b58b1ff16221
SHA512

58335e42da8244d1215cf79e1b299dd832c6bcb436e23b9d3ce9ca261cfe4b589174e880c629c5d50803f3784eba527c5b19b65aa17caf2a68a3dff6d078fe54
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAV:d8qPe1Cxcxk3ZAEUadzR8yc

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3258) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2224 mssecsvc.exe
2500 mssecsvc.exe
2660 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2224	mssecsvc.exe
2500	mssecsvc.exe
2660	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2908 wrote to memory of 1668	2908	rundll32.exe	rundll32.exe
PID 2908 wrote to memory of 1668	2908	rundll32.exe	rundll32.exe
PID 2908 wrote to memory of 1668	2908	rundll32.exe	rundll32.exe
PID 2908 wrote to memory of 1668	2908	rundll32.exe	rundll32.exe
PID 2908 wrote to memory of 1668	2908	rundll32.exe	rundll32.exe
PID 2908 wrote to memory of 1668	2908	rundll32.exe	rundll32.exe
PID 2908 wrote to memory of 1668	2908	rundll32.exe	rundll32.exe
PID 1668 wrote to memory of 2224	1668	rundll32.exe	mssecsvc.exe
PID 1668 wrote to memory of 2224	1668	rundll32.exe	mssecsvc.exe
PID 1668 wrote to memory of 2224	1668	rundll32.exe	mssecsvc.exe
PID 1668 wrote to memory of 2224	1668	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cde1e1ed2abbee0b5abc2da6b41bb6_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cde1e1ed2abbee0b5abc2da6b41bb6_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2224

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2660

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
c950a73c8373cf8b7be87250213f8d4f

SHA1
52f1e73c50fe92f229ea5b8cff7fc6215a76f430

SHA256
c3d14080e3719c412b9539a048000720e4376e46d1118a5b515bb4dd5fb20af6

SHA512
0b803c10925ce43fa292c07fd7445d50b677df49ff138dfe7d596172589d55fc20ef3fc59c0590ad5943963fbfe9dc43def15fe22c23f91243303d00adeda796

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
dababf3f702d586685ebfcd0b5a7975a

SHA1
9d725fd5c6cb226ba2571b95c575764902a8ad15

SHA256
05aacce477db5a570e36d10da93eba85bec8af8e4aa2224b0a8ac98a542c18bd

SHA512
4fa33b72a5af61e0bc2046cb85ce40b7cf043da17c24c7576a0d673bfc98dbfb0c024eae4bd2b4e1f123c45e3838c17af96f8e21b68a1382c101bc105a9174e1

Download Submit