wannacry | 22ddd844eb93a423794a7899e15015b60871def49f9973f06c37c68a639dd0ca

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 08:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll
Size

5.0MB
MD5

6a4efb8c17327b22a4eeb67080917079
SHA1

0fd519b3da2402d53075f8a2dd4b7d56328c70a9
SHA256

22ddd844eb93a423794a7899e15015b60871def49f9973f06c37c68a639dd0ca
SHA512

8b39bcb332c9605545d6656eca8b7e9660db276ada00cf8eab1289f9ee21da4631c5ac1c3d720854745951a206a7396a4d997132abe4d7d3feb5a5f8275c3d9a
SSDEEP

24576:JbLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPVXmi:JnjQqMSPbcBVQej/1INRx+TSqTdX1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3379) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3148	mssecsvc.exe
3476	mssecsvc.exe
3524	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 232	2804	rundll32.exe	83
PID 2804 wrote to memory of 232	2804	rundll32.exe	83
PID 2804 wrote to memory of 232	2804	rundll32.exe	83
PID 232 wrote to memory of 3148	232	rundll32.exe	84
PID 232 wrote to memory of 3148	232	rundll32.exe	84
PID 232 wrote to memory of 3148	232	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a4efb8c17327b22a4eeb67080917079_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3148
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3524

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
17977ba1ca086ccd84aada0e7bb51286

SHA1
af5410554ea45be32f144bb653492e568f74a35b

SHA256
447b5ebea929be23d5cd952fedf51fd0f9ef7df6f65d411723fc4110a66b955b

SHA512
3f94168ad4dce69f6ef25ef6c93fd898048b17c8c3afed7353e1430d39ba43fad52ddddb172a743897586d51fcda29d98ab94ebfbc29e98b191a79ab748ae948

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7a197ee3214806f5e77b7f3a10509a4b

SHA1
df87b86ecb3fb97f49500d017ac887ca35e4d169

SHA256
2225c3d46c50b02422c57e516239000eaa2224115067693aea57165a59c6d5e9

SHA512
b9ae9ab9d49884ff9d7b59ffd63deee132f9340d6193c16df96913afbeefe170776e8b6a1c62fece17b32f95210903f299da83a446bfaea2b0f22b6330c63a88

Download Submit