wannacry | cc76131a6fbdd233d2cb6dae93b1fd5883b7a78dda5d7ad859ddb33feeeaac7e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 04:14

Target

232569d59a9b2e49c99c142f961e0799_JaffaCakes118.dll
Size

5.0MB
MD5

232569d59a9b2e49c99c142f961e0799
SHA1

1e6e1300f462451ec0a1dc2f79a9cc5252f95b83
SHA256

cc76131a6fbdd233d2cb6dae93b1fd5883b7a78dda5d7ad859ddb33feeeaac7e
SHA512

2448514c6ef5f39c3426ec7bb3e1a38b552051c87f9b788b7154ac25b06d1f13407e48ea5cc637fe6b0201422e681f89d4802287112761794fe74a65d140dc4b
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAME:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3244) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4808 mssecsvc.exe
3644 mssecsvc.exe
4992 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4888 wrote to memory of 2732	4888	rundll32.exe	rundll32.exe
PID 4888 wrote to memory of 2732	4888	rundll32.exe	rundll32.exe
PID 4888 wrote to memory of 2732	4888	rundll32.exe	rundll32.exe
PID 2732 wrote to memory of 4808	2732	rundll32.exe	mssecsvc.exe
PID 2732 wrote to memory of 4808	2732	rundll32.exe	mssecsvc.exe
PID 2732 wrote to memory of 4808	2732	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\232569d59a9b2e49c99c142f961e0799_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4992

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3644

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
8df8fc447b12bafdbc97d38ccce10736

SHA1
33d75a40fa2a17a178cba25bc8ec74765b31f993

SHA256
cae32f5adf3886d799ea260de2aceca2a83d2e359a5b5dbd40c7fb3fd2c47065

SHA512
1b349eea9e5dfec795f07309fdd58e090f825b7305fa18120628167ccfa72ca655c810fd54f6afd852de38b3c2a796dbeea71d5b3ab857ebc326eba6c56f0f32

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
6dd6a4d43690e42346e2566448eb7e8b

SHA1
2a65cb18fd99ccf9f8d18a8128b405309940d98b

SHA256
493ec650870429b427b5366d6198e38d2f80f605a8dfb50dd57cc2d05cc31f82

SHA512
6f73cf85b5a755a42ddc9674d9e67767125b4ef589be194c443df8e0153f64937b995f0b177f596fb4d4fc1d363a6b5615b951b82b9a46a76b7ba6d09cbbc870

Download Submit