wannacry | 9537f9d6f2d7a3baae2fb6f26ff449ee3c65185a1b6f9b0e4a3391ada83e0323

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff36f361482680f3255a78ba3ba0095_JaffaCakes118.dll
Size

5.0MB
MD5

fff36f361482680f3255a78ba3ba0095
SHA1

1d943be263aa43911ef20a100f77add5d7bb320f
SHA256

9537f9d6f2d7a3baae2fb6f26ff449ee3c65185a1b6f9b0e4a3391ada83e0323
SHA512

29b9e07a197cb027ab6aafd3e978a52b79e870f90ff47f1e1e4fab5efb59e4f5786470e842e573595d3da13d08e3f97509233a40a40e12399c03c9e4998bdf7d
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhqYoP3R8yAVp2H:d8qPe1Cxcxk3ZAE4R8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3344) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1636	mssecsvc.exe
320	mssecsvc.exe
2484	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 1908	236	rundll32.exe	30
PID 236 wrote to memory of 1908	236	rundll32.exe	30
PID 236 wrote to memory of 1908	236	rundll32.exe	30
PID 236 wrote to memory of 1908	236	rundll32.exe	30
PID 236 wrote to memory of 1908	236	rundll32.exe	30
PID 236 wrote to memory of 1908	236	rundll32.exe	30
PID 236 wrote to memory of 1908	236	rundll32.exe	30
PID 1908 wrote to memory of 1636	1908	rundll32.exe	31
PID 1908 wrote to memory of 1636	1908	rundll32.exe	31
PID 1908 wrote to memory of 1636	1908	rundll32.exe	31
PID 1908 wrote to memory of 1636	1908	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fff36f361482680f3255a78ba3ba0095_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\fff36f361482680f3255a78ba3ba0095_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1636
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2484

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
98c8b1abb6625c89698d3c76a9f8573b

SHA1
5373ab9b44d1576ad465a5881ccfa8fa30c37c31

SHA256
97d2876aaa159bd438c7fd33c7b126fa8ca2ca23d0e7a8ac318bcccaed580ce8

SHA512
7917b0539222e966be2aa3cd6f8edf5261b2b5cc8c6af866eef175553794a473dc0d29809313f76a64b2f019ad52fe764f4d7303b4894802a722fc7b08fa150e

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
dea022033f275636abfca77115556787

SHA1
8090089701385b7519bd6a17de2ee0f7aeebc3b4

SHA256
86f62cf979b79aed17cd85434e1ba5c4446941cc2ab8d704ed0ee98b8ec7d06e

SHA512
d4d3969807c46f5dfe1542996dd55a50828c5faed4309970a441acd5b1ddaf1275fc92d1f41b7c1673509808f388098ab0e9544652f9e29b26ce722369477a13

Download Submit