wannacry | e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll
Size

5.0MB
MD5

6aa433b987f747ea18bd1daba29b19a6
SHA1

c4a60a470025c45d224276be50fe9ac8370ddee1
SHA256

e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f
SHA512

f5939aa010fc822d3b2017d6091b802f27d96f01c914b659280a862cb11b453a59a379772795c199c377171fc35dcc6208a13c2a716137aca7318bc5212c21e3
SSDEEP

24576:ObLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKt:OnjQqMSPbcBVQej/1INK

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3148) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 2 IoCs

pid	Process
2020	mssecsvc.exe
2764	mssecsvc.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	mssecsvc.exe
2764	mssecsvc.exe

Suspicious behavior: MapViewOfSection 47 IoCs

pid	Process
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2020	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe
2764	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	mssecsvc.exe
Token: SeDebugPrivilege	2764	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2368	3032	rundll32.exe	30
PID 3032 wrote to memory of 2368	3032	rundll32.exe	30
PID 3032 wrote to memory of 2368	3032	rundll32.exe	30
PID 3032 wrote to memory of 2368	3032	rundll32.exe	30
PID 3032 wrote to memory of 2368	3032	rundll32.exe	30
PID 3032 wrote to memory of 2368	3032	rundll32.exe	30
PID 3032 wrote to memory of 2368	3032	rundll32.exe	30
PID 2368 wrote to memory of 2020	2368	rundll32.exe	31
PID 2368 wrote to memory of 2020	2368	rundll32.exe	31
PID 2368 wrote to memory of 2020	2368	rundll32.exe	31
PID 2368 wrote to memory of 2020	2368	rundll32.exe	31
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	3
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	3
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	3
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	3
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	3
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	3
PID 2020 wrote to memory of 380	2020	mssecsvc.exe	3
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	4
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	4
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	4
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	4
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	4
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	4
PID 2020 wrote to memory of 396	2020	mssecsvc.exe	4
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	5
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	5
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	5
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	5
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	5
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	5
PID 2020 wrote to memory of 432	2020	mssecsvc.exe	5
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	6
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	6
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	6
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	6
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	6
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	6
PID 2020 wrote to memory of 476	2020	mssecsvc.exe	6
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	7
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	7
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	7
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	7
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	7
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	7
PID 2020 wrote to memory of 492	2020	mssecsvc.exe	7
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	8
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	8
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	8
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	8
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	8
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	8
PID 2020 wrote to memory of 500	2020	mssecsvc.exe	8
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	9
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	9
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	9
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	9
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	9
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	9
PID 2020 wrote to memory of 596	2020	mssecsvc.exe	9
PID 2020 wrote to memory of 672	2020	mssecsvc.exe	10
PID 2020 wrote to memory of 672	2020	mssecsvc.exe	10
PID 2020 wrote to memory of 672	2020	mssecsvc.exe	10
PID 2020 wrote to memory of 672	2020	mssecsvc.exe	10

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:380
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2024
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1492
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:740
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:812
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1160
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:860
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:968
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:268
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:856
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1100
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1296
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2104
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1664
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#1
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\WINDOWS\mssecsvc.exe
      C:\WINDOWS\mssecsvc.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b2b0bc696271321075d678c832b9db9c

SHA1
801343b88e1e276da1585564bcf22b9f114a48c0

SHA256
6729590951a87257c5509e08c3d6c12ecdc78645e478c387d660663fb93087ba

SHA512
3106db6137ec2d32e83c6024261878f2bbc2016e95f5213c4e6bdca8d792ca36e0b574fa85d57aaa46de5a91b9759826a72ab3b7f08e54737d0fd7fbb86e569b

Download Submit
memory/2020-9-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

Filesize
4KB

Download
memory/2020-8-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

Filesize
4KB

Download
memory/2020-7-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2020-13-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2020-16-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2368-6-0x0000000002520000-0x0000000002B93000-memory.dmp

Filesize
6.4MB

Download
memory/2368-15-0x0000000002520000-0x0000000002B93000-memory.dmp

Filesize
6.4MB

Download
memory/2764-11-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2764-17-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download