wannacry | 4ff2da241d70aca8d525e7c417c4541b6ede67511c6d4f9560263024f5886dd1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 11:57

Target

17905fa52bee8b438e2b7f5cb53cb2f5_JaffaCakes118.dll
Size

5.0MB
MD5

17905fa52bee8b438e2b7f5cb53cb2f5
SHA1

2af13381186dd6816a6354b734cca68573e90beb
SHA256

4ff2da241d70aca8d525e7c417c4541b6ede67511c6d4f9560263024f5886dd1
SHA512

d0dd6b946280bd50f2aabe1922e419fe8d62d9cbd8411bb98a61ecbdf0e3d2cdb73ea307a27fad7a6b480d76b9400a3b61a9a3c6fa9a7f710ab0aee7cd372681
SSDEEP

98304:d8qPoB1z1aRxcSUDk36SAEdhFeB3R8yAVp2H:d8qPS1Cxcxk3ZAEJepR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4128 mssecsvc.exe
4380 mssecsvc.exe
5108 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4636 wrote to memory of 2136	4636	rundll32.exe	rundll32.exe
PID 4636 wrote to memory of 2136	4636	rundll32.exe	rundll32.exe
PID 4636 wrote to memory of 2136	4636	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 4128	2136	rundll32.exe	mssecsvc.exe
PID 2136 wrote to memory of 4128	2136	rundll32.exe	mssecsvc.exe
PID 2136 wrote to memory of 4128	2136	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\17905fa52bee8b438e2b7f5cb53cb2f5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:5108

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:4380

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
676546e9d7eb379744152f2f308854c0

SHA1
496dcb1559821ff4a93e4ae4e7e901ce260799c8

SHA256
6e9eeb57fec2ff5dfe679cd60b0d35ef4d588e497e4f8619e89237191f97fb49

SHA512
b39f29fc6ba70bc2490e77166472b2547e78a66c6749de304c5deb348245ce1402406af4264a5bb15f94fe5af9e11f0ca1007f3b04c9a87ad32207e762cca07a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
972029747126787ea423dffa1df456b6

SHA1
0d6d278f3305f6713db39bf0ff9d32fd15b0dd20

SHA256
ef16810e7e876aaebc4eb25a00abcd65f83abb41e074c5e1a030debabddf9e3a

SHA512
77860b8a63373ee194a043496b7cc0d530f76d13692db09057fd68dd82001363932e974b7985b699a9ba9a3d71de574a8068144758271c41a5c677bbedd82c43

Download Submit