wannacry | c7fb3930cb8e54333ea87e9191b21497f8975567bd18b0a6a24e5fb759c6e186

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 19:48

Target

9f562cee6b7ce2a42243c7550636e2a0_JaffaCakes118.dll
Size

5.0MB
MD5

9f562cee6b7ce2a42243c7550636e2a0
SHA1

3f0fcf9735a0c83a62653518b88d06f64923f8c3
SHA256

c7fb3930cb8e54333ea87e9191b21497f8975567bd18b0a6a24e5fb759c6e186
SHA512

4808d1434e0ef26165710f0ec4d99d25bd4c71cb5404e96fee7a8145723a93a0268bcd63e5cd012cb02645b030a68366952d63c25ad1815a6796e0361c9f2ad1
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdh9YoT3R8yAVp2H:d8qPe1Cxcxk3ZAEtR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3383) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1412 mssecsvc.exe
3436 mssecsvc.exe
1048 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 5084 wrote to memory of 2396	5084	rundll32.exe	rundll32.exe
PID 5084 wrote to memory of 2396	5084	rundll32.exe	rundll32.exe
PID 5084 wrote to memory of 2396	5084	rundll32.exe	rundll32.exe
PID 2396 wrote to memory of 1412	2396	rundll32.exe	mssecsvc.exe
PID 2396 wrote to memory of 1412	2396	rundll32.exe	mssecsvc.exe
PID 2396 wrote to memory of 1412	2396	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f562cee6b7ce2a42243c7550636e2a0_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1048

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3436

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
4c758dd1b8c4ffb04a4d9b6d20ca6328

SHA1
985a7cd2b3a4b32e2cf5e1c23df915200ad47009

SHA256
8b956dd7cdf4f2039844dea4f0a3b92df3dd3c6e00ad073a89c045bb01a6b2fd

SHA512
2478c94b1b336c17958b98d29fdf0b12a25b9e62c0ef6ba9afdaf24a77be76886f6ea76e97c3570b8e2c89f85b7932ade285597717363952643da24650cd56f5

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5962a1fe4ec3fb34d4c6bc7329e4c952

SHA1
af7a0dddd89dcc4606d0b3ebc63f3a8d38e2364e

SHA256
d5980f65091e778a3fb5c3100c1291988b3a9798304608ca4fef62f701034e45

SHA512
fce794473bef6939038ae9c4f03d06416d56bf794343805fc7a30d345105d86df54c045652472ade0701444e784dd3f485239d822d22ff43ce4e6e3055598712

Download Submit