wannacry | 6a81d946fdb06e601caa1018b39bc1a513a53e7716a7c1b8824f10fbad72e26c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 02:03

Target

935a103be36400df296e44f438467f3c_JaffaCakes118.dll
Size

5.0MB
MD5

935a103be36400df296e44f438467f3c
SHA1

c24562cf24a51cb81ecae2b64993602ff93da5af
SHA256

6a81d946fdb06e601caa1018b39bc1a513a53e7716a7c1b8824f10fbad72e26c
SHA512

f1b11cb0c25f745bf31e5cc225ac7afeb103deed6dab97197bec093a5792a8205f2d052d60485a3654fa5849b713406db72417e90d91f2da4cfdb035e7985478
SSDEEP

6144:yE9l9yNqIYVTH5DgSg8ajldktM0XXrs2QhMV9qbBLIwYQuy8DLq1eNVDwUM:ywbLgPluxQhMbaIMu7L5NVM

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3336) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3700 mssecsvc.exe
2064 mssecsvc.exe
2164 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2256 wrote to memory of 4976	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 4976	2256	rundll32.exe	rundll32.exe
PID 2256 wrote to memory of 4976	2256	rundll32.exe	rundll32.exe
PID 4976 wrote to memory of 3700	4976	rundll32.exe	mssecsvc.exe
PID 4976 wrote to memory of 3700	4976	rundll32.exe	mssecsvc.exe
PID 4976 wrote to memory of 3700	4976	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\935a103be36400df296e44f438467f3c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2164

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2064

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
03da1a94d9940babbb24c2f09177e145

SHA1
40fdb506c7df3e5c95a9e5d6acca2b9cac0aa5e1

SHA256
c9a0c495bcee207bab8ff291107141bc2e23a4f5a5102cc24354eaf4009dbbf3

SHA512
ea260f5ddcde156ea942698995a9cd00e8def5515f48a76b0a691bc25c760339119197230585c164647ec0d0f94079d5a40aea15398838041f50fc3ec4c39b31

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
2cfd9967eaf64845781ce70f0dd69ccb

SHA1
c9bf80b6af17c54c460e0f77d7520894de91a632

SHA256
dd35fc41dd35b399a8e52cb4e12965a4c0d910999a1133ffe95a8cf50bc950ee

SHA512
31a82b9837c57029a5008ab5c8b71a379ebb29a7fa646224a6c87fc017163bf23787e23a53b5262ebc76deefb4ac099d83995f0fc17b7ba02afff6251ce14d99

Download Submit