wannacry | 2bad1462af5db857fe3409fef6624775996b98809a173b8eebe6d48975e8e163

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 22:40

Target

5bda624e072d09feb07b433b013f3410_JaffaCakes118.dll
Size

5.0MB
MD5

5bda624e072d09feb07b433b013f3410
SHA1

b23db4c3a35942595b86a685a1ab4cfae5f51c41
SHA256

2bad1462af5db857fe3409fef6624775996b98809a173b8eebe6d48975e8e163
SHA512

dd8331004820f823d990f311d30013a5b8db3ffbadded146ef79b2ed695efbdbdf429544a64ae7dfbe4afe0fe67a00921f348466585591d399788efcec18244f
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHEubWAMEcSAH:d8qPoBhz1aRxcSUDk36SAEdhkubW5ZH

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3234) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2660 mssecsvc.exe
2600 mssecsvc.exe
3136 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1492 wrote to memory of 3368	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 3368	1492	rundll32.exe	rundll32.exe
PID 1492 wrote to memory of 3368	1492	rundll32.exe	rundll32.exe
PID 3368 wrote to memory of 2660	3368	rundll32.exe	mssecsvc.exe
PID 3368 wrote to memory of 2660	3368	rundll32.exe	mssecsvc.exe
PID 3368 wrote to memory of 2660	3368	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5bda624e072d09feb07b433b013f3410_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3136

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2600

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
cf0c5b9bdc306dfe29b27e3ba1abc4e6

SHA1
a25405a5b88ddc278a07a172c7a1bd051ca357e6

SHA256
42680d0b5bda082277ca410053cdc3dabeb2c2e48df8079b64a0360394be65e2

SHA512
bb0f050bdf5f8accb128938a5247b27e2cb0f91c8fa4ceb8adc812a1e97e7ce0a1bfa2626464b50ffa2ef81b2d164d7a516ef8e571aaadf2f81dbf529b4957e1

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
41855d9f1538912eb5ffb379b1a12dc3

SHA1
46716ab4f8aabe12221fb6d8a54ad9621988ba10

SHA256
1279fba98caa2e4381e7566c9c64cf8ccea788943802edebe2cdd3976d23c1c0

SHA512
83863d3bc2bef9a5eab8405ddfdf663714dbfaea83840a1723a30e0539ae1bffac904c69468cb1fd79da4d8a1eb0e00ff86d071797aefad39c4fe13e871f8198

Download Submit