wannacry | 3f6dd13bf4024fa1d7cd3afd3e92eb34a4a079603f7763bae8671c664f3be81d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:46

Target

6893182bc20611a90422a8943e255340_JaffaCakes118.dll
Size

5.0MB
MD5

6893182bc20611a90422a8943e255340
SHA1

8fb2cac71bd8ae9f8e669e5f76531f8300974d01
SHA256

3f6dd13bf4024fa1d7cd3afd3e92eb34a4a079603f7763bae8671c664f3be81d
SHA512

1795535f251dcf16a2f6ed6d7d2248b4aa0a5d4c4bf0b4ae7a6a533d074884f4f98beb6b05685f24c24c556378a315a78adf6586636e8b878b31799b13e1e95c
SSDEEP

98304:d8qPoBhz1aRxcSUI1LE6QhDAdZM2cXv9IfrrwLZqlTu5hgb+9qJfuMI74l8BuKG6:d8qPe1CxcS1LB+ELM2c/23MWQCWq1upV

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3361) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3024 mssecsvc.exe
1260 mssecsvc.exe
3744 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2992 wrote to memory of 4908	2992	rundll32.exe	rundll32.exe
PID 2992 wrote to memory of 4908	2992	rundll32.exe	rundll32.exe
PID 2992 wrote to memory of 4908	2992	rundll32.exe	rundll32.exe
PID 4908 wrote to memory of 3024	4908	rundll32.exe	mssecsvc.exe
PID 4908 wrote to memory of 3024	4908	rundll32.exe	mssecsvc.exe
PID 4908 wrote to memory of 3024	4908	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6893182bc20611a90422a8943e255340_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3744

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:1260

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
6dd293636356bc95eeca45be78adc6e9

SHA1
37a008ed6dcc5baff0f11473a28f6a2f6cd5f00b

SHA256
5911e4cc21a86555e8f9217a2a85120ea245b2eb8a7703897b31428539df4088

SHA512
5cfb4c9638d1b2f4fe3b5d9bcd9fe63a7f66282dc6306af8ff6d4f5051f00465a28f11ecbd5cafb64f5470417ed9b089b96e543398fb020f2c945e4b55b3330c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a8776fcc7003c58c688793c82c411761

SHA1
4b2491eb6d0a0aab9dd5eeb34308c31b9a3ef0ef

SHA256
93b150a46f9a230c6087de8379c84719b44aac1aeaa640f30a3525ae1049630c

SHA512
42d0f9aff76fe6ef7ff65952ef907fae8aa0868d1a2413f491d700491c6872fef64b44ebeeef506edfe4da1d6099a74f13e19a7ea4dd1a946a2e508c0147a77b

Download Submit