wannacry | 5c94ef973899d21ac81c5563770ca61e5ff920a342dfb70ba14afb71f41b300b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 05:19

Target

7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll
Size

5.0MB
MD5

7f9b9aad8bb1108f11027ad0d7989255
SHA1

a10f8db721d73de38223e632f8d08ab624dfaafc
SHA256

5c94ef973899d21ac81c5563770ca61e5ff920a342dfb70ba14afb71f41b300b
SHA512

eea0cdbdaad27ac5230d8042708fa8ff8c8d7bec5c049703a741358024136a75dc1f96fc398b5d6f3bd9c09b4d9c47e1049e072badbe82258933c845ddb760d4
SSDEEP

24576:sbLgdeQhfdmMSirYbcMNgef0QeQ4kRiwKt/8uME7A4kqAH1pNZtA0p+9XEk:snjQqMSPbcBVQeRkRiwK3R8yAH1plAH

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3327) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2792 mssecsvc.exe
3408 mssecsvc.exe
740 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 848 wrote to memory of 2912	848	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 2912	848	rundll32.exe	rundll32.exe
PID 848 wrote to memory of 2912	848	rundll32.exe	rundll32.exe
PID 2912 wrote to memory of 2792	2912	rundll32.exe	mssecsvc.exe
PID 2912 wrote to memory of 2792	2912	rundll32.exe	mssecsvc.exe
PID 2912 wrote to memory of 2792	2912	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f9b9aad8bb1108f11027ad0d7989255_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:740

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3408

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
4ca4353c3cfbe384e69363b4b7a5dbe2

SHA1
1df0dd886f513c93b5167cc0754fcef576aca251

SHA256
c91593bed9abb9e0865f56f091d01cadeeeccc5f0288cfa516708f08aa2797e6

SHA512
63130908660d8815b8a0d3e306429ed6bb34fa30236009751f8289f5f2fc0d6fb1bdacaae6e7158395553ce3e60b6d37460c01e0174d34401533e65c73e849fe

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3d6024b2c052a24a93c276098db1cb66

SHA1
cace901d8d4e42c8df146d2a79b5abab452fb9bb

SHA256
dd875e666f84d58652b2dd9280002d93b76e307a9ad760dc0eba1be0597449c3

SHA512
82a3330f8c3cb2e2a26c67ae85ff3b9ae548149cd31eeb85aefcc818f05483f6b1cebbd7d94d26a52f139e3d792bdb6e73baaab7695ce2d5430d79cce645afce

Download Submit