wannacry | 8f99b70a31b2c0318ea0d4e84395b7fa7bf097478acf6315ea2387742f1dd0bb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 13:27

Target

79404d982570227ae4c134c1cd3caacd_JaffaCakes118.dll
Size

5.0MB
MD5

79404d982570227ae4c134c1cd3caacd
SHA1

730232a1a3a55dedabe2b765b0ca2f1d0d09f9ba
SHA256

8f99b70a31b2c0318ea0d4e84395b7fa7bf097478acf6315ea2387742f1dd0bb
SHA512

7eb66057fa692171f42c3cbdbc98b6769c8919eec37aa11726bc64976d524166a3a98e08c615dcd60029d3eabcbda4c240968eda403be306ef82668ea13f8876
SSDEEP

98304:d8qPoBhz18xcSUDk36SAEdhvxWa9P593R8yAaZx:d8qPe18xcxk3ZAEUadzR8y97

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3356) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3872 mssecsvc.exe
3196 mssecsvc.exe
3180 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4216 wrote to memory of 3520	4216	rundll32.exe	rundll32.exe
PID 4216 wrote to memory of 3520	4216	rundll32.exe	rundll32.exe
PID 4216 wrote to memory of 3520	4216	rundll32.exe	rundll32.exe
PID 3520 wrote to memory of 3872	3520	rundll32.exe	mssecsvc.exe
PID 3520 wrote to memory of 3872	3520	rundll32.exe	mssecsvc.exe
PID 3520 wrote to memory of 3872	3520	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\79404d982570227ae4c134c1cd3caacd_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3180

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3196

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
bbf7cdd740f487df688c39ccaf673145

SHA1
162f866fc63b91ad5425f18837f385bd2d7c7b55

SHA256
1de88ba59568ffa3250b01a8cbedf76640eaada2a765d5a08619081791ad82eb

SHA512
3c1a8bb2e8c162059dcd1244ba631d8ee1a461063658ca8a5b569c0aee94a4d07fd3799a2d31daa4d7e3fcf1aed67afd901a5df0379c15a0359b080cde7c8c8e

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
83f36d195afc5e47c08cc2f8aac7cab0

SHA1
3b4fe3a68d11a361fce97333ba29ed720c224eef

SHA256
c2f96ef782ee4cacf15ed09066c20151179922c28cd18c44d9f630dc27d735ab

SHA512
9bee484089c2c9090bf7ba4b94ceadac15823c40e97420e2968eac7b1089d2fe9d393baafb1cc23710fd3155c39ccbaf3e78f28352af29be1ed6d2959e5332ca

Download Submit