wannacry | 649d03197292e3ef23a3e5418feced95ba35dedf32899051c68c7ae2f95b505f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-08-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc3672d82646ca070f5b0b40a94acfd3_JaffaCakes118.dll
Size

5.0MB
MD5

cc3672d82646ca070f5b0b40a94acfd3
SHA1

4c3ec9a83292134ad3121d5e3fd66fc7cac104ef
SHA256

649d03197292e3ef23a3e5418feced95ba35dedf32899051c68c7ae2f95b505f
SHA512

be2de148573f03072648e4e1d9b62f4a7b543da2c9511f4cb1bcb632f7665763b74fe910ec198dc71dc917e483b04433c95b3e8776ae7105a5436eced43bf48f
SSDEEP

98304:+8qPoBhz1aRxcSUZk36SAEdhvxWa93z6Om3MOujtDZnhf/B:+8qPe1Cxc7k3ZAEUaFBlFB5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3325) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1604	mssecsvc.exe
2332	mssecsvc.exe
2316	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2224	3008	rundll32.exe	31
PID 3008 wrote to memory of 2224	3008	rundll32.exe	31
PID 3008 wrote to memory of 2224	3008	rundll32.exe	31
PID 3008 wrote to memory of 2224	3008	rundll32.exe	31
PID 3008 wrote to memory of 2224	3008	rundll32.exe	31
PID 3008 wrote to memory of 2224	3008	rundll32.exe	31
PID 3008 wrote to memory of 2224	3008	rundll32.exe	31
PID 2224 wrote to memory of 1604	2224	rundll32.exe	32
PID 2224 wrote to memory of 1604	2224	rundll32.exe	32
PID 2224 wrote to memory of 1604	2224	rundll32.exe	32
PID 2224 wrote to memory of 1604	2224	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc3672d82646ca070f5b0b40a94acfd3_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc3672d82646ca070f5b0b40a94acfd3_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1604
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2316

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f00275ff5d6ba1430b4b4caed41f7a2f

SHA1
0e3d3d252fa18d7398a363d4f2ec84679fb2e32b

SHA256
7fe9c054c50bd970c3bd595ded2f35c2318fcfab110cf56fabd75122aa1e760d

SHA512
3478ec32208a2694890a6ede4b0b80e51b52dc104de0c8865e16d4331bf8de2d6e2c52ac256140a8147c1fe88e5da48471696732eaba596d2e285834b6b8a847

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
4ceb036a610bc152469bc3e9ea2cd4d1

SHA1
a3918a049945bfffccd5bdb989f9923e890dedc7

SHA256
54179a8e88dcdcea5b7fdee605d8f991c18270ae0f7f0b41ea189301fcd06496

SHA512
9bd6a93449333034f533b2eb718108574ac5f2df04ba006ba4aa9f0b5d858a09b0edbe8ee64f9f1560760bbc9443cf06e6fe7a99ecaf5bb2e931cf4deeaf5a5a

Download Submit