wannacry | a45856a40e829582bb45e4ef75bf43ff31679f8ca1d7106e6217db81b2c76e40

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 14:27

Target

18199888d6cc03fa3b1adee22012c083_JaffaCakes118.dll
Size

5.0MB
MD5

18199888d6cc03fa3b1adee22012c083
SHA1

ea05e12f62e3d5955b2de7587aa4a8c98659c040
SHA256

a45856a40e829582bb45e4ef75bf43ff31679f8ca1d7106e6217db81b2c76e40
SHA512

b835b47ed895ec6bac52d1787166b32f65f6bc51f2b6774f3b83500b79c954e1d6cece9ec61446de12cf68d22050e3b5b854e618d5d9936f1ab7e022fde5b273
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa94593R8yAVp2s:d8qPe1Cxcxk3ZAEUayzR8yc4s

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3212) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1268 mssecsvc.exe
3784 mssecsvc.exe
3016 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1808 wrote to memory of 3460	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 3460	1808	rundll32.exe	rundll32.exe
PID 1808 wrote to memory of 3460	1808	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 1268	3460	rundll32.exe	mssecsvc.exe
PID 3460 wrote to memory of 1268	3460	rundll32.exe	mssecsvc.exe
PID 3460 wrote to memory of 1268	3460	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\18199888d6cc03fa3b1adee22012c083_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3016

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3784

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
593c3b4a49cfdb31b496163dd21310c2

SHA1
46edae6e9d6ad7f129570562f82500acb63362f1

SHA256
9cada52102762c4840cf59a4d1134a36a5aefb3b21d1736a5cbc95d9ff47db6e

SHA512
4546b0084e47fc8a126ff4b1027134c22d268e09328e761fc0591d7f2e30f5fd0a7118bccb7d0bbc786413a54c354d3c04ff86d0617792178dfd1e5427f5036c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7414f3e8a6a4b3b0c37e517b15f17d62

SHA1
9916d2a510ebb40d021228dacc8edf62677ce231

SHA256
c84a232eb09167445e9a9acf70183cc15a9d710c7a2bdf650eac1e392823f194

SHA512
96d42fa67d033907ff090feb6b27d9838e6d6612b53c679ffdc76db05a899ecfc35c9405148103385a277cbb164e200b3a39c746ebbc7d489801dcd08829875e

Download Submit