wannacry | 07d8e93cf329be2ad6b950990385f6ca75c1ba3a4f21712c86f1924b17561b02

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 09:49

Target

244b64b651e2da28939e05fb42ef2702_JaffaCakes118.dll
Size

5.0MB
MD5

244b64b651e2da28939e05fb42ef2702
SHA1

39a3eb59c9938fe138a5cf342d8bf7a19a9aceec
SHA256

07d8e93cf329be2ad6b950990385f6ca75c1ba3a4f21712c86f1924b17561b02
SHA512

d395d3d8b85435bf4bec344620280ae2b739836e143893411f6047e886c89aceb8f921639ce8440b12b2dcc94b3421dff0b32280cd2b3cbc4c7714083af5a47d
SSDEEP

49152:SnjQqMSPbcBVQej/eujAMEcaEau3R8yAH1plAH:+8qPoBhze4593R8yAVp2H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3352) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2412 mssecsvc.exe
2668 mssecsvc.exe
3788 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4860 wrote to memory of 960	4860	rundll32.exe	rundll32.exe
PID 4860 wrote to memory of 960	4860	rundll32.exe	rundll32.exe
PID 4860 wrote to memory of 960	4860	rundll32.exe	rundll32.exe
PID 960 wrote to memory of 2412	960	rundll32.exe	mssecsvc.exe
PID 960 wrote to memory of 2412	960	rundll32.exe	mssecsvc.exe
PID 960 wrote to memory of 2412	960	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\244b64b651e2da28939e05fb42ef2702_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3788

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2668

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
322636a4e42ea476a0dd3bbd690212de

SHA1
ee214deb35092b4e126801168c3dba55b7517d72

SHA256
00342179af6bcb556e974f258686aa711c5d831516760a9edc2e83e62bb263a1

SHA512
4c54efbf754beaf068792d722bee8dc70d66644c88cc03b7e60fa144821e75f1a017fc230a60cd733386cd890ca0345bd396e9c634778182072de419e68fecae

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
84351a30ade5e889745a6c897b0655c5

SHA1
9cf2512689152dd890e734574fd1901bfd4cb31f

SHA256
3d4afb00a4ad754f856abf557f55abfbdc31468877d94ee2f7204d9e05f871e4

SHA512
1055fe659d8f4c53711cffb117dd770cb974022164a942421627f53449734eb184014f6a0a5588134d032fc57f5fc23a3adce8c95e5caa280070c437d7c7eafa

Download Submit