wannacry | d66516fd8cfdcb030baf16943f3115e8b4dbdc975c7900ba37ff852b03b7879d

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cabc41c7460caa08b7669c74ad91fbbc_JaffaCakes118.dll
Size

5.0MB
MD5

cabc41c7460caa08b7669c74ad91fbbc
SHA1

8f915b53f3320913297e851dd908eee077ca44d3
SHA256

d66516fd8cfdcb030baf16943f3115e8b4dbdc975c7900ba37ff852b03b7879d
SHA512

dc2d1810aa9616ea6edb57b08db6799397564ec3de6c4fc9fb694e574135dc6f9daaf4107d0b5296ad8c2ca244991e6927141f4368dc72074d93a57e21491461
SSDEEP

24576:SbLgdeQhfdmMSirYbcMNgef077nEaut/8uME7A4kqAH1pNZtA0p:SnjQqMSPbcBVPEau3R8yAH1plA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3182) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2708	mssecsvc.exe
3008	mssecsvc.exe
2904	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 2688	1240	rundll32.exe	30
PID 1240 wrote to memory of 2688	1240	rundll32.exe	30
PID 1240 wrote to memory of 2688	1240	rundll32.exe	30
PID 1240 wrote to memory of 2688	1240	rundll32.exe	30
PID 1240 wrote to memory of 2688	1240	rundll32.exe	30
PID 1240 wrote to memory of 2688	1240	rundll32.exe	30
PID 1240 wrote to memory of 2688	1240	rundll32.exe	30
PID 2688 wrote to memory of 2708	2688	rundll32.exe	31
PID 2688 wrote to memory of 2708	2688	rundll32.exe	31
PID 2688 wrote to memory of 2708	2688	rundll32.exe	31
PID 2688 wrote to memory of 2708	2688	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cabc41c7460caa08b7669c74ad91fbbc_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cabc41c7460caa08b7669c74ad91fbbc_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2708
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2904

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
3efd11562e83b3e75d8a4b92c12cfcd5

SHA1
087a594e11056572469bdf4b7ea1e72446e89c07

SHA256
2272c7541063f16369ac05f0e29c2a1fb484c9faf7fedb3da80193c11cdf2d48

SHA512
e68188b75a4a2c9c641622cb4277eb4ebc44b8837747ccebbfd15f8ec840854a46ca258d9321eaaab8a85dc140d1f1fea8bed7d23ce5bca43b4100234a1a637b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
4a8a368a5305921722fb56265fe5286d

SHA1
96a8b92683177c59c70556d747aaf7e25ac203c3

SHA256
aec5e29a733e988cb57bf9947bb8fe43a84a56c52a7b3cd2e03920d05b6c5802

SHA512
42adeed02e64e01750e3b10bb16d1dbcc345f9480ff0c7df3b1174ce0487941786101826b8c504e795f4c0ec1d479be96ba39c799f6f3c1e43a070902554e4d3

Download Submit