wannacry | f3f54aa74f08e3296c2739abb0f8acfe23f3b23147e668a5df63af15f832a42b

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 04:17

Target

70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll
Size

5.0MB
MD5

70d5a64d5c2a642f64a80762e3334e2d
SHA1

f78269fb31a6ffce0fec200e59c546fc6113eae4
SHA256

f3f54aa74f08e3296c2739abb0f8acfe23f3b23147e668a5df63af15f832a42b
SHA512

65bf9a81e2189bb1c3067a6491ed1a28bfa035755ad87f5dc45b66ab21d38b49b4eb7e05cb3c0019944119b99f20a48b2c9158d5fee474adf75692a78fdfa706
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhn:d8qPoBhz1aRxcSUZk36SAEdh

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3046) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1612 mssecsvc.exe
1488 mssecsvc.exe
2320 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1432 wrote to memory of 2184	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 2184	1432	rundll32.exe	rundll32.exe
PID 1432 wrote to memory of 2184	1432	rundll32.exe	rundll32.exe
PID 2184 wrote to memory of 1612	2184	rundll32.exe	mssecsvc.exe
PID 2184 wrote to memory of 1612	2184	rundll32.exe	mssecsvc.exe
PID 2184 wrote to memory of 1612	2184	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d5a64d5c2a642f64a80762e3334e2d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2320

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:2912

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
5617da4c2911a0c6768d790f0e0c88a0

SHA1
ca7614c80676b4b5e7c224e3c3f5b87c4aa3454f

SHA256
e15997d60c507a0f996572c2e5433619f38d829a66cd7ff24a0f53431617c359

SHA512
62cbb5af46d4e41fea974af54d6546d9ff13af1a31c14fb83fa2d9d0a6a7cf7ed6a05bc775a0ce83ae915bf9a435fd23599ad0ba33ba96ef863a2fc47e5cf9dd

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
b91800f044097d66a2956440ade809e3

SHA1
163381e41d1665d3325f0081b0feb83f399a117f

SHA256
324eaf7b3ecae86cfe0f4c27783e777714512b8b2a017314089bf335ecad7fe9

SHA512
a191ef5d5493949dcf649e22629d748f2059c1a5d95013ec1bbf9ad835e61e4e9d0cd7ad5df6e8e33c417e412256cb796c2576a5935860dcdc67d2dbb91177a4

Download Submit