wannacry | fea1973ad1ef8844c4efdddd08c4b6ce9744b74deb3c8084d4c10453d42c87b1

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee6f883f7da3efafba40d560ae5f1c9_JaffaCakes118.dll
Size

5.0MB
MD5

eee6f883f7da3efafba40d560ae5f1c9
SHA1

3edb61b26bdb771c0210d2ae62e77e7be214eb00
SHA256

fea1973ad1ef8844c4efdddd08c4b6ce9744b74deb3c8084d4c10453d42c87b1
SHA512

1414e726a3b4626a08c8ecbeb41afdbd2fd3dd68c83415269626287cd7760280cde0b2717dfa3eb43d9be3999fd42d230ac47217d3f0b15face0a7531881efe4
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAMh9FWy8U4WpEk6aize3wK:d8qPoBhz1aRxcSUDk36SAAanaiK3L

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2072	mssecsvc.exe
1156	mssecsvc.exe
2256	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2392	2384	rundll32.exe	30
PID 2384 wrote to memory of 2392	2384	rundll32.exe	30
PID 2384 wrote to memory of 2392	2384	rundll32.exe	30
PID 2384 wrote to memory of 2392	2384	rundll32.exe	30
PID 2384 wrote to memory of 2392	2384	rundll32.exe	30
PID 2384 wrote to memory of 2392	2384	rundll32.exe	30
PID 2384 wrote to memory of 2392	2384	rundll32.exe	30
PID 2392 wrote to memory of 2072	2392	rundll32.exe	31
PID 2392 wrote to memory of 2072	2392	rundll32.exe	31
PID 2392 wrote to memory of 2072	2392	rundll32.exe	31
PID 2392 wrote to memory of 2072	2392	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eee6f883f7da3efafba40d560ae5f1c9_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\eee6f883f7da3efafba40d560ae5f1c9_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2072
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2256

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
3666bcbd17b5260f540b7dbd93c5e0fe

SHA1
1c8e39d158633695f4d65b8447573748a2617283

SHA256
a47a7632ad1ed4c8499cd3aa6c41fe151d410fae1ea06855231c7d3b4089baf7

SHA512
407463a8ca610f4ee3ddc811f0cd221bddb8a054f68b4f3b7f36a3ad441b990c2edb7b79c9899c914216e464cdc73a33122dc95fd2e4c094dfd70247054d84ba

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a0e9fc052295bcbfe3cb412e5a4a9338

SHA1
93460ee6176f11e3691573fc52b291cf7261e3fa

SHA256
548dd44dc103d64a5b25f44b9335457b55c750dab7d3e1eb6dfd6ad291433380

SHA512
5bc8e95733b7ee00e8e28cd98d6144212bb47741c6d1647677b1b71571daa52979917f527a0e6eaff44f82c5233e43268f82b7b0c7973dff45ff1ef1bc3ea450

Download Submit