wannacry | 466f166d55d8755f3b2f77b3150493e7a255207f6ea8d605cc181b16fb3b6d13

Resubmissions

28-09-2024 13:56

240928-q8x21aygnr 10

28-09-2024 13:47

240928-q3nals1gjg 10

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc6d185cdc6364146888277e411fbf7a_JaffaCakes118.dll
Size

5.0MB
MD5

fc6d185cdc6364146888277e411fbf7a
SHA1

1a45cb794dae0c3d7dee4c94891ccc2b1706de65
SHA256

466f166d55d8755f3b2f77b3150493e7a255207f6ea8d605cc181b16fb3b6d13
SHA512

a9fe75a5f809b7b19803828eda187d8ca96555581ed718d470c9387f8cab9f32601c85554f7b7483565b1b9bf0a0656cc448b016d6fbfb255bbc7e11e5dc7984
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8y:d8qPe1Cxcxk3ZAEUadzR8y

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3241) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2760	mssecsvc.exe
2660	mssecsvc.exe
1968	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2732	2132	rundll32.exe	30
PID 2132 wrote to memory of 2732	2132	rundll32.exe	30
PID 2132 wrote to memory of 2732	2132	rundll32.exe	30
PID 2132 wrote to memory of 2732	2132	rundll32.exe	30
PID 2132 wrote to memory of 2732	2132	rundll32.exe	30
PID 2132 wrote to memory of 2732	2132	rundll32.exe	30
PID 2132 wrote to memory of 2732	2132	rundll32.exe	30
PID 2732 wrote to memory of 2760	2732	rundll32.exe	31
PID 2732 wrote to memory of 2760	2732	rundll32.exe	31
PID 2732 wrote to memory of 2760	2732	rundll32.exe	31
PID 2732 wrote to memory of 2760	2732	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc6d185cdc6364146888277e411fbf7a_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc6d185cdc6364146888277e411fbf7a_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2760
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:1968

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
0bb4bff4a1e8d3a92c179c7e7f4980f1

SHA1
197688a749ac3cb72c67f8033ce560fdb44b3325

SHA256
126660695a9f0a35c5499321c2d87c0a7bcade6b62c7b820f21ca61924d8f92e

SHA512
7c1a3c7d26efc514908b16caeb162b580e2b9bc7545e5db95cdc7175bd111683b69dc28f862866b3ff6430421ba612535c0fa29ca8eacb6c5cf7b7517d41a244

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
27c55cf6092a94cdeed8d5a528df7093

SHA1
11eaf98f3c169cc00f04da63445a349c7ae69fd3

SHA256
61bc7a56d704dd851bd20fcfede124947dfc758e324b72c65885a5d605b3ff89

SHA512
a4386aa33c6810a1399a30576dd1951b5f4c7deaded86f67064a33d0c709cb356ac0501f27a1a1624f7817c0fc3dc82ca6a8a27fc5aa11b5ef367c1a18eb88f9

Download Submit