wannacry | 0666b7b6f571a154ac43341c86bb48c80bda2649368c01d183a660d5e841d0f1

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 01:21

Target

777295af47127697b18eb864656e5dd0_JaffaCakes118.dll
Size

5.0MB
MD5

777295af47127697b18eb864656e5dd0
SHA1

c5103eb13aefab7274962714a1fa8fcf7d0ee480
SHA256

0666b7b6f571a154ac43341c86bb48c80bda2649368c01d183a660d5e841d0f1
SHA512

0628236b1e839aa4038f405ffb387e0cb68b7a8a796777299fbd5ee8179509f21987d0ba7d80a8fc7ee44e375e595087be2540e76e5a9c5a0f78f271ad1fd573
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yA:d8qPe1Cxcxk3ZAEUadzR8y

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3375) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3668 mssecsvc.exe
2352 mssecsvc.exe
2044 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1916 wrote to memory of 3524	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 3524	1916	rundll32.exe	rundll32.exe
PID 1916 wrote to memory of 3524	1916	rundll32.exe	rundll32.exe
PID 3524 wrote to memory of 3668	3524	rundll32.exe	mssecsvc.exe
PID 3524 wrote to memory of 3668	3524	rundll32.exe	mssecsvc.exe
PID 3524 wrote to memory of 3668	3524	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\777295af47127697b18eb864656e5dd0_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2044

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4400,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:3812

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
0e192322d75d1d2809fad5930425b7bf

SHA1
ec45f0c67dc96b607e05c33db23556b7e943f50f

SHA256
ab1411761ecbdfb7be678a5bbd8078775ec1e6896cd3de68f691a0f97aa717a1

SHA512
fbe3c54037d3e71fde4023f2a63b03b9a253d7b53555a766c50243bf8803388d9c0bbe8ebf23adf55523dbdca4c7acac35a6c461765bf3a21463361cb355b46f

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
967b2c05787f5353452c45b7cb9f2f9c

SHA1
29dd704d736249a471df7da340c84a0180e55537

SHA256
e530782aff9d469d892a0687aec278a8ac0ffedb46869e0aae5e9184c0c83923

SHA512
090e832fe0954a7f56788a640882b8cb8b34786f02d3f1d4e48f73d3c7c51b87df973b804ef7bf22a0d1d853ef4b1f8d49741161a7a7cc4d7032db6446beacc3

Download Submit