wannacry | c5d3d4d4f7fe5d49e0ddf095ace042caba06836b8d70eefd86a76839bdccf3ca

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd62af4a3a9a8750895356182662dacc_JaffaCakes118.dll
Size

5.0MB
MD5

dd62af4a3a9a8750895356182662dacc
SHA1

98d7bff1b5589584ecb57a5fef57fbca269cd645
SHA256

c5d3d4d4f7fe5d49e0ddf095ace042caba06836b8d70eefd86a76839bdccf3ca
SHA512

7a324b2d40b49a99b1def5d179fd3c07e433730e19eed2c0bc039090c7241d18f084c42294127da4d39b8718e4330df8fbea175c441c2d7f2918ffa48b4d5323
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVv:d8qPe1Cxcxk3ZAEUadzR8ycv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
376	mssecsvc.exe
1716	mssecsvc.exe
1872	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2248	2644	rundll32.exe	30
PID 2644 wrote to memory of 2248	2644	rundll32.exe	30
PID 2644 wrote to memory of 2248	2644	rundll32.exe	30
PID 2644 wrote to memory of 2248	2644	rundll32.exe	30
PID 2644 wrote to memory of 2248	2644	rundll32.exe	30
PID 2644 wrote to memory of 2248	2644	rundll32.exe	30
PID 2644 wrote to memory of 2248	2644	rundll32.exe	30
PID 2248 wrote to memory of 376	2248	rundll32.exe	31
PID 2248 wrote to memory of 376	2248	rundll32.exe	31
PID 2248 wrote to memory of 376	2248	rundll32.exe	31
PID 2248 wrote to memory of 376	2248	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd62af4a3a9a8750895356182662dacc_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd62af4a3a9a8750895356182662dacc_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:376
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1872

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b2fe81863f56b560a63c4b687b01bc7e

SHA1
a3301d7b86099b87038e38efd3de31d76e611e3a

SHA256
2f70267613f5f9062691740f31a87c54bbc6c8d881c53ce219d6df31626c8658

SHA512
8f584aa488a9ef1a31292b52b5ca0a3716c8ac590e502f30dfe7ec8baed3f85cd4d16fa3379a11436d24035cbfcb8e03d062125294164c53552b6f36a3ddca3f

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b260365f73daf367bb26a66d3fb88846

SHA1
be167d8feefc6f02d29801492c8f6d75a9678c82

SHA256
164e875e59d5e6741d443b96844640302af94fff4e61de137726ca0b440e22c3

SHA512
be0418a8c537431ae8a858d8aab19168d4c5453a0cd3e0c25df63410720312fd80000898aeeeaf82028af1781c210fb43d06de762a23a14fbc65ddf1c9aae0ff

Download Submit