wannacry | 1dd001ef5ae3fdc07d44feae5246b23f199e01ce4f7e2b7dd5a354f7aea227fa

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62186bebffffcfafb1c70a8ff03fa317_JaffaCakes118.dll
Size

5.0MB
MD5

62186bebffffcfafb1c70a8ff03fa317
SHA1

6fc4434a5fc48ef8c1792f8d7ca49cba14556378
SHA256

1dd001ef5ae3fdc07d44feae5246b23f199e01ce4f7e2b7dd5a354f7aea227fa
SHA512

8cb8d6f6e26cf4e5dd9a894025fe4c8063f3c13bf52a4b0faefcb27f1c95ec2121d9f8d3a4365da34483061d69f1c0da639fc7429a49e4091a2a35dac5775135
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARd:d8qPoBhz1aRxcSUDk36SAEd

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3187) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1972	mssecsvc.exe
2552	mssecsvc.exe
2396	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1700	1712	rundll32.exe	30
PID 1712 wrote to memory of 1700	1712	rundll32.exe	30
PID 1712 wrote to memory of 1700	1712	rundll32.exe	30
PID 1712 wrote to memory of 1700	1712	rundll32.exe	30
PID 1712 wrote to memory of 1700	1712	rundll32.exe	30
PID 1712 wrote to memory of 1700	1712	rundll32.exe	30
PID 1712 wrote to memory of 1700	1712	rundll32.exe	30
PID 1700 wrote to memory of 1972	1700	rundll32.exe	31
PID 1700 wrote to memory of 1972	1700	rundll32.exe	31
PID 1700 wrote to memory of 1972	1700	rundll32.exe	31
PID 1700 wrote to memory of 1972	1700	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62186bebffffcfafb1c70a8ff03fa317_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\62186bebffffcfafb1c70a8ff03fa317_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1972
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2396

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
929b5c4d4aa798214e85226ad735c229

SHA1
7d7f88545a844bd9e4e51263d8e3f2548e3d112f

SHA256
3d57f0bc2b6d14cf215d70d5f6e525622d1e451626c26a8fa9d2daf47de6c8f8

SHA512
fc89df57b54be5aef57fd9e2328bdc181895aee73813d0ecb867815e69d8987f084ffbb570f049c1ff371851500ef0121dd12ebe809acbc6cc2337203444353d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
db04f37a8f947c39285253dbf4eb490f

SHA1
ac9c6ae440c86c6df633c8c156809cfce4254064

SHA256
4038bd684b85e9451ca37e7233c2b39dbf0ad7967829179b75cafc0c661c986b

SHA512
b17162b1dfe12465e2b8fbf9f70f8e5a646a9798ff6625cf6181a62e65ebbd4a1773daa7cc954caf7bf6907c990b487847aa3a4cbb5cf6f5575cdeb5b1d09296

Download Submit