wannacry | bd236394e3a00363d54a3d1913bfac26fffab2b94086e171b500c9b210e6db95

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:14

Target

72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll
Size

5.0MB
MD5

72f92b256a78bcd62b59529aa3004398
SHA1

c376e6ae79998b7afe09c3898c91e0e818d255d4
SHA256

bd236394e3a00363d54a3d1913bfac26fffab2b94086e171b500c9b210e6db95
SHA512

92c5f03b07c33b20c9e2d45ba73d36e61d26d6a46c0798de575bb84b6abf09439c50b528b06695b2b5c6d562d0ff23e4688361c640f06e1331fc49c90251adc3
SSDEEP

98304:dWqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:dWqPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1332 mssecsvc.exe
4488 mssecsvc.exe
3552 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1416 wrote to memory of 832	1416	rundll32.exe	rundll32.exe
PID 1416 wrote to memory of 832	1416	rundll32.exe	rundll32.exe
PID 1416 wrote to memory of 832	1416	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1332	832	rundll32.exe	mssecsvc.exe
PID 832 wrote to memory of 1332	832	rundll32.exe	mssecsvc.exe
PID 832 wrote to memory of 1332	832	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72f92b256a78bcd62b59529aa3004398_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3552

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
1⤵
PID:4724

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
eb6af116d16be6353892c07b45a24d70

SHA1
8ffc55c0726f852c308049d7e2fa2aaa439381fc

SHA256
265559b912eab6b0048d1fdd9d5b236cbdd1bc3840987394e460fed09421920f

SHA512
422a77bb3df89606a0300afa04c2d58d97c45006eeea4e2e178a170c5ca6419773e7a9ddf51120c0ef9bb4ba9d8c30548efaabd563b68117c4dbf5ffc7bd4660

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit