wannacry | 645b428bf5a29d365ff98b1fd45ba399c0e00b3da93a8d7cd1e3a0310a3594c3

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4d6c30783319492a578d333806977be_JaffaCakes118.dll
Size

5.0MB
MD5

b4d6c30783319492a578d333806977be
SHA1

7efe66f619ae1501379dc7cee63c68a07dcafb1c
SHA256

645b428bf5a29d365ff98b1fd45ba399c0e00b3da93a8d7cd1e3a0310a3594c3
SHA512

ca6ef14ec240115362b4738d23970ee9967665929d6752b8238109dd5f0a90e7766dfedc00c644ad6047c9e3fb970a3b2cc5c5ea1768a5bdb6d20c3d0bbac41e
SSDEEP

98304:d8qPoBh3RxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8qPkxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3295) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1668 mssecsvc.exe
2192 mssecsvc.exe
2128 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1668	mssecsvc.exe
2192	mssecsvc.exe
2128	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 756 wrote to memory of 1676	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1676	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1676	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1676	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1676	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1676	756	rundll32.exe	rundll32.exe
PID 756 wrote to memory of 1676	756	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 1668	1676	rundll32.exe	mssecsvc.exe
PID 1676 wrote to memory of 1668	1676	rundll32.exe	mssecsvc.exe
PID 1676 wrote to memory of 1668	1676	rundll32.exe	mssecsvc.exe
PID 1676 wrote to memory of 1668	1676	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4d6c30783319492a578d333806977be_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4d6c30783319492a578d333806977be_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1676

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1668

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2128

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
1b01c6695e40d7b1debbc89b11ec9b05

SHA1
c34816e9cf97a6c1fc5ef65d6222b7dafa662b14

SHA256
49c34f1c874a7cabd10b935a0da2e00ac296eb0087e0101107285ef799f7ce05

SHA512
af8b68369020c73b75440febba549bafb57250ec09d6fade21a05e4c9975f98e094e773b250378fbfc535fce94e138758bf8ac97297cff172be7587e59c741b1

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e1961629be16763d1b5649d963b7999a

SHA1
ef2a07f6f4ce435de3f5ce479eb145db6755a73c

SHA256
7bd280c072ea682f2b69a4f91ca7b23b03977aeb85db9047af11a2af6bc6ee37

SHA512
b2010a78d0319a82e0b89d5d2fa7a353a75c329344b05e94c9e241de49c7d8ffdd49c4daea6085ebdf9ae5b52248c4734146385718def76b7b407a0264d800ee

Download Submit