wannacry | 57ae6fa8fafc0e1746a65b463fd3be1032d7feb04f72ae65a0cb72659f7e3aae

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:45

Target

64034db074c53e09df4d57fc7a26a6f2_JaffaCakes118.dll
Size

5.0MB
MD5

64034db074c53e09df4d57fc7a26a6f2
SHA1

60d16fa7ffca1448db0da995a24eae901466c61a
SHA256

57ae6fa8fafc0e1746a65b463fd3be1032d7feb04f72ae65a0cb72659f7e3aae
SHA512

b12da23d2e46626bd828158b306ba5503f499c7c37802bd06b7c2fe83df2983f97b6cc59b06c12896f2b6ba3034f0214d55ee356a96430894af3af9d5247d034
SSDEEP

24576:JbLgdeQhfdmMSirYbcMNgef0QeQjGopcL7nEaut/8uME7A4kqAH1pNZtA0p+9XEk:JnjQqMSPbcBVQejoaEau3R8yAH1plAH

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3111) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4352 mssecsvc.exe
4896 mssecsvc.exe
4284 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1796 wrote to memory of 1380	1796	rundll32.exe	rundll32.exe
PID 1796 wrote to memory of 1380	1796	rundll32.exe	rundll32.exe
PID 1796 wrote to memory of 1380	1796	rundll32.exe	rundll32.exe
PID 1380 wrote to memory of 4352	1380	rundll32.exe	mssecsvc.exe
PID 1380 wrote to memory of 4352	1380	rundll32.exe	mssecsvc.exe
PID 1380 wrote to memory of 4352	1380	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\64034db074c53e09df4d57fc7a26a6f2_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\64034db074c53e09df4d57fc7a26a6f2_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4352
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4284

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:4896

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
e65e17384951c5c233388b6ec8b95932

SHA1
7bb5a7bd51585e8280c133c81ca2aec2331de7dd

SHA256
94deb8d6525bba1dac48ee71d28307ed849709658b2c6fc1bf1760c6baea11df

SHA512
87c4225e34c37d73a2138c602d76003b66fe53bd7aa0c79811ea7b9a6e31bcb7424c3fb7bb95ff59157ebc93342a79c55ab6d092dec227ae34e712e34dce79be

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
21cd075408e4d8edfe26c2010426a11f

SHA1
e79ed2ad19269a735a3c634820536ae3fd8517b3

SHA256
c22b2e6dde13e6f4f90fa0fd9a9e354525c061b66b743a0b5e00ecb22487b777

SHA512
b128e0412b64a40e43845c9c76777b42ac5a3d9099dc6146044fbfdc58f81588bc7a693cbfa3bba3a7337624657e39974f61ac9dd4f90e1b8f1c1bce46181e4f

Download Submit