wannacry | 571e7603ef71138aa1423e6d7e0111c7efaf54a9844471638d899e124db888de

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 06:56

Target

23b42e30bcbbc5649f189525a02758cf_JaffaCakes118.dll
Size

5.0MB
MD5

23b42e30bcbbc5649f189525a02758cf
SHA1

07a54b3c3a3df399ace3f557423b5ca539a4a91b
SHA256

571e7603ef71138aa1423e6d7e0111c7efaf54a9844471638d899e124db888de
SHA512

19ba831999a89a0aeb0ea3872842d51cf52e15032376c5135c5f51a8334f2c4c82a3811c9a2305e3d476eb7976ec317d89c53f7491dd4ecf230394aead38f112
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5UBr:d8qPe1Cxcxk3ZAEUaduBr

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3378) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2632 mssecsvc.exe
2332 mssecsvc.exe
1248 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3612 wrote to memory of 2804	3612	rundll32.exe	rundll32.exe
PID 3612 wrote to memory of 2804	3612	rundll32.exe	rundll32.exe
PID 3612 wrote to memory of 2804	3612	rundll32.exe	rundll32.exe
PID 2804 wrote to memory of 2632	2804	rundll32.exe	mssecsvc.exe
PID 2804 wrote to memory of 2632	2804	rundll32.exe	mssecsvc.exe
PID 2804 wrote to memory of 2632	2804	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23b42e30bcbbc5649f189525a02758cf_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1248

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2332

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
8181f137453e486e8841935ceac4cc97

SHA1
6b4558b59f241a8b6445c018c3a71930bf2d2061

SHA256
e54f60f3f6abbf3b06b8bb927755ac423cf9056f15bfa9360d930dd8fe595c2a

SHA512
88181c13e350db3eb9d24b148c7b50d446fde5f130b6e58b011540b3f37d1613827def20cc8559fe0fe562b8b7bc6288006a1052bafb1bc88523951d3c5468cf

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a1be493d471589a611dab412b7bf6bc8

SHA1
21ff7b7cfbf13c840cea55036b07b101e6f2b52b

SHA256
269d8bb792deccb011db69d1a774fc2f3e87db2772aaa16405239db03b2cd726

SHA512
648ea37ce1e7225a9164696d8bbd9f245196186885a214c3cc5a7b147bed55701ec2244b8a97dfefc3321d8ae25c379e84fcc6b67a0f868078d3c2a9aed00fd6

Download Submit