wannacry | 31e89065c103ffa60d36c9893758698db7128ca994b2ea1caa1062167c781d50

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 00:29

Target

8ff4c53b72021149d0442cb3d907c695_JaffaCakes118.dll
Size

5.0MB
MD5

8ff4c53b72021149d0442cb3d907c695
SHA1

a70fb448efbb68d52aae383e328a9782f76908c9
SHA256

31e89065c103ffa60d36c9893758698db7128ca994b2ea1caa1062167c781d50
SHA512

1b31c81ebfd862bf942043fbe06374069b73eb48874839365b3f467a7ff442ace565fddbb34d4dc1494e63fcb15751be959bd5b1c95f86b0fb21337e4bde2b5e
SSDEEP

98304:+8qPoBhz1aRxcSUDk36SAEdhi593R8yAVp2:+8qPe1Cxcxk3ZAEezR8yc4

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3236) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1528 mssecsvc.exe
4188 mssecsvc.exe
2256 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4196 wrote to memory of 1036	4196	rundll32.exe	rundll32.exe
PID 4196 wrote to memory of 1036	4196	rundll32.exe	rundll32.exe
PID 4196 wrote to memory of 1036	4196	rundll32.exe	rundll32.exe
PID 1036 wrote to memory of 1528	1036	rundll32.exe	mssecsvc.exe
PID 1036 wrote to memory of 1528	1036	rundll32.exe	mssecsvc.exe
PID 1036 wrote to memory of 1528	1036	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8ff4c53b72021149d0442cb3d907c695_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4196

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2256

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:4188

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
1e18eb4a7a7de5dbd7b7460983d1cfa5

SHA1
344b5cb7fd698ef361a19c1ae59d085b0428b224

SHA256
d6a2adaa0d5959f73ab917e647b151706ad6475dd0add6002ca0aefb847ce3a4

SHA512
9b50bfd30e5d33cfb61a87ab62649a1c32477c273d1f6cc872e09bd7e3857533bef21406c17765711a6fdb37391d9982f6b2583b1c74fa032fa6769d71e60aca

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
54dbf7d30ffedef6b7cec3645d3011f7

SHA1
dd36a1f6e883a40663672458f3fc4f7fb1a83b08

SHA256
64541d799bc7fa4f03d5fc8dd9c67ed77bfc4c39e88afea88c077635d13c6a0e

SHA512
860a47ed2dba0297c3aa3701145109a06d39cc412bcab0570f85db0e644c588a0cb0d5325f7f69005dad7af3e41a4682521eed59d1298c93b95190b3e4133ac3

Download Submit