wannacry | 6eac3a90343df429a921c57f01fd709f73318c354e34354d2f0da528d14a0d17

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 10:22

Target

a04d986a0899f529974a08c1cc9cbe0f_JaffaCakes118.dll
Size

5.0MB
MD5

a04d986a0899f529974a08c1cc9cbe0f
SHA1

eb3dbdc562a258b91447cc3bb335bc8bf2d98328
SHA256

6eac3a90343df429a921c57f01fd709f73318c354e34354d2f0da528d14a0d17
SHA512

5321ba00cdaf782a89738655271f523da02b92edb74aa553c16b989f8f62634fd7d42d95742b21c481f611c39fb619ceec017cacc6266974c39039433d4a0b1c
SSDEEP

98304:d8qPoBhz1aRxcSUDk8xWa9P593R8yAVp2H:d8qPe1Cxcxk/adzR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3364) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

692 mssecsvc.exe
3788 mssecsvc.exe
456 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4200 wrote to memory of 1856	4200	rundll32.exe	rundll32.exe
PID 4200 wrote to memory of 1856	4200	rundll32.exe	rundll32.exe
PID 4200 wrote to memory of 1856	4200	rundll32.exe	rundll32.exe
PID 1856 wrote to memory of 692	1856	rundll32.exe	mssecsvc.exe
PID 1856 wrote to memory of 692	1856	rundll32.exe	mssecsvc.exe
PID 1856 wrote to memory of 692	1856	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a04d986a0899f529974a08c1cc9cbe0f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:456

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3788

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
77f4e2778a294a34161dc078a8c2fa81

SHA1
1f05c7ba089b9e68e9b8e74baf8827f855d1fb80

SHA256
f65142341c15fd7329bc4019d4b31653adcfdaaf979a00cf5726bd79a728832b

SHA512
a1e22c94a1b949ba5943846a2e8cef6343f2a0cebc93c5ca0b98b359a4ee5889451712a52f9262c3a2ea6acdeeaa7b3e472bb43074e713a357cef9d476c9e98d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
2e762ef70aad2f4a815a6a2fd62719cd

SHA1
f7daacadba17699472008b2d174ef4541d915de0

SHA256
90fe60c3efb4bcf6297350d3bda6c86dfa0bfc98df8df0bbf04f02ecd83accd6

SHA512
99732c371d1963a4eb3f731e8d269434f55ff9096520ac28fbd24db65af1ee6eef0135ee8c5b80b8678f16d8b86d6ad37ce69db678fb25c405e5e938ea45ae9d

Download Submit