wannacry | 25569625a36ca72014b551e8aff1cc163239b4766a434c3bcbfc5bb97cf8dbb1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 16:32

Target

1391981dda18f636a0ec142d2f85079d_JaffaCakes118.dll
Size

5.0MB
MD5

1391981dda18f636a0ec142d2f85079d
SHA1

8330f801ca548a037879e0b75447ac3496932810
SHA256

25569625a36ca72014b551e8aff1cc163239b4766a434c3bcbfc5bb97cf8dbb1
SHA512

909a025c2cac752c369e20706483786273786a2dc78a9d1928457c51ff9dfd32cb7e4374b993af8dc049556b3d1f217cfcec3751af5b1af4c4d361e3bfea210e
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAfAH:d8qPoBhz1aRxcSUDk36SADH

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3231) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1484 mssecsvc.exe
5072 mssecsvc.exe
5212 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5188 wrote to memory of 5272	5188	rundll32.exe	rundll32.exe
PID 5188 wrote to memory of 5272	5188	rundll32.exe	rundll32.exe
PID 5188 wrote to memory of 5272	5188	rundll32.exe	rundll32.exe
PID 5272 wrote to memory of 1484	5272	rundll32.exe	mssecsvc.exe
PID 5272 wrote to memory of 1484	5272	rundll32.exe	mssecsvc.exe
PID 5272 wrote to memory of 1484	5272	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1391981dda18f636a0ec142d2f85079d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5188

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:5212

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:5072

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
eb0f59bbbee4e1195509874301b9200c

SHA1
468e55701ecf64d01c05c9fa7470f0f5a4ef294c

SHA256
f32919594061cd2664173e51e23ebe4134675d7350359a50a3fac1fa38716c8e

SHA512
2882e530c42bd7497763c0e5c7b89387c7f2bbdcfe7551b9811308e604cbd9f085a6bb330c452a7b385bf7e206afbbf8baf9a03c40e53213fdecc1113919054b

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
46a0ffe690dbef1ad9290eae3442e2cc

SHA1
402f07250ef7df1ef336bb06b3f9c65318405b7c

SHA256
66460333375e11582774e0e06189e6c237f7635c2decf33f95b28c0066309ed4

SHA512
e378b904d807c5d8eb459335d160bef231fa57aeb43211bf80a5d9aa67db7d6446f5d400defdb92230e7a61239a464fdff200c83188e9f79cd389c00a915f2c0

Download Submit