wannacry | f917542e700119900587223373bbb702b82bb3aa50d8d672e5c14cc93d00182f

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da849935ded74d6ec67b3f675a077773_JaffaCakes118.dll
Size

5.0MB
MD5

da849935ded74d6ec67b3f675a077773
SHA1

7ba5ee4385357d8aaef913a1d072f05abd8065ae
SHA256

f917542e700119900587223373bbb702b82bb3aa50d8d672e5c14cc93d00182f
SHA512

c189587eba7d75188bb0619456d7f0c7517bd121e4f11a4f55cd036ed47e6faaf44c74f8787082e582a2f2fec41c0ad8f08b60e4457277d0015739d382800b0b
SSDEEP

98304:+8qPoB2z1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+8qPd1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2564	mssecsvc.exe
532	mssecsvc.exe
2572	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2384	2900	rundll32.exe	30
PID 2900 wrote to memory of 2384	2900	rundll32.exe	30
PID 2900 wrote to memory of 2384	2900	rundll32.exe	30
PID 2900 wrote to memory of 2384	2900	rundll32.exe	30
PID 2900 wrote to memory of 2384	2900	rundll32.exe	30
PID 2900 wrote to memory of 2384	2900	rundll32.exe	30
PID 2900 wrote to memory of 2384	2900	rundll32.exe	30
PID 2384 wrote to memory of 2564	2384	rundll32.exe	31
PID 2384 wrote to memory of 2564	2384	rundll32.exe	31
PID 2384 wrote to memory of 2564	2384	rundll32.exe	31
PID 2384 wrote to memory of 2564	2384	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da849935ded74d6ec67b3f675a077773_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\da849935ded74d6ec67b3f675a077773_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2564
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2572

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
9337a95307e7145667d7a3156f44637a

SHA1
630051b3d8a9d692ac2198d26a0d841bfaa0a3ba

SHA256
7175eb4a0fc7945714fed6bb9cf05bbd8870914b584f130515a687348e711f32

SHA512
3b2a0da359f358753286cd16fea0db0bd7a59b4df12ab23f5dad4be36b03c017246f03f3565d8045a7c0cb5dcbd89be140c1ec0e9492c60a6ee9725b5d2e92c2

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
77fbbb801b6e5c730340c2252e9162d2

SHA1
7228db01c1e35c6ac0870903550f233a7069c237

SHA256
ff9cb2920c8cd813b6af613e6a0d5c7a5d4459d6508ea650e7293055d84ec835

SHA512
27933b53ff414bc852655a02de005e47c286dec0503900b4eff1c6f72e4f62bf226ebb3f5267c7fc3299c8965f0c635c6c6bb464cb8a98fd0ae7f8eac36268f7

Download Submit