wannacry | 60bccc5b50843c14865d176b918ff518eb562ff88aa2574b5ce0f77895756089

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
31-08-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc5ee9ab34b4568b98c8a605d6d8fa58_JaffaCakes118.dll
Size

5.0MB
MD5

cc5ee9ab34b4568b98c8a605d6d8fa58
SHA1

3549a4cb74696bd2b7def20db41d7554781e6742
SHA256

60bccc5b50843c14865d176b918ff518eb562ff88aa2574b5ce0f77895756089
SHA512

0921f6706cca4907b2300977d5ce2d02023af0469aeb871202773f683e8ed53061c99ffe7548d5971204434bbd6f02b96440deb06015cd99dd6d6ad59b856a34
SSDEEP

98304:+8qgz1aRxcSUDk36SAEdhvxWa9P593oAVp2H:+8q01Cxcxk3ZAEUadzoc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2516	mssecsvc.exe
2080	mssecsvc.exe
2344	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1916	1956	rundll32.exe	31
PID 1956 wrote to memory of 1916	1956	rundll32.exe	31
PID 1956 wrote to memory of 1916	1956	rundll32.exe	31
PID 1956 wrote to memory of 1916	1956	rundll32.exe	31
PID 1956 wrote to memory of 1916	1956	rundll32.exe	31
PID 1956 wrote to memory of 1916	1956	rundll32.exe	31
PID 1956 wrote to memory of 1916	1956	rundll32.exe	31
PID 1916 wrote to memory of 2516	1916	rundll32.exe	32
PID 1916 wrote to memory of 2516	1916	rundll32.exe	32
PID 1916 wrote to memory of 2516	1916	rundll32.exe	32
PID 1916 wrote to memory of 2516	1916	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc5ee9ab34b4568b98c8a605d6d8fa58_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\cc5ee9ab34b4568b98c8a605d6d8fa58_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2516
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2344

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
55a4e5a546f6740a62a4723550c0a2d8

SHA1
cc8655d786d046cfb1bc29e46c95229e49f6a89c

SHA256
d82b2d7bd8c14d8ad5897870cce8a0670d8e8cc94ec09229dcc8d81701ee7cd8

SHA512
c5643758acd76b8aeb86cd8ef7a1fba2823b5b0a41c42259c29f8155bd90fd638b7a24256b6b85174381d3b00b7436c16548f0f968c79de40ac7c216065da5da

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
d0765ac79b3086a4d731af445d485774

SHA1
444b2efb032eb98eae04950b3c3afe090f332f00

SHA256
970951da1320f34089f761f3cb2e4d5cb1486ac6b753845ed7000f017d1f3085

SHA512
2e0c668293070a13aae66f22a3b7887edb5185623eb3a03f8741395c9adc7c8e8e240872abe0411da6ef209d24306e1a61628adbb5e9345d2eb0ce36d3a9956e

Download Submit