wannacry | d2893feead9c7ce80858fbdd26b0b82cb5a0eda30368003522d2491367e19e3b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 00:34

Target

a32ad2b83ee36582fc7fde744a807dbc_JaffaCakes118.dll
Size

5.0MB
MD5

a32ad2b83ee36582fc7fde744a807dbc
SHA1

ec9a64a97ec7baf868ffd4fbaa5dd125ab840468
SHA256

d2893feead9c7ce80858fbdd26b0b82cb5a0eda30368003522d2491367e19e3b
SHA512

719cb59b16fb5969cfa1fdcd290f96ff943243fa7a23389ecf34f2715a3bc9265626ebd720bc4994c4d935e2ac0bfa385ff16bdd3e1b4ae18200f666e0c57248
SSDEEP

98304:d8qPoBhz1aRxcSUDk36SAEdhvxW/593R8yAVp2H:d8qPe1Cxcxk3ZAEU/zR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3353) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1512 mssecsvc.exe
2472 mssecsvc.exe
232 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 684 wrote to memory of 2808	684	rundll32.exe	rundll32.exe
PID 684 wrote to memory of 2808	684	rundll32.exe	rundll32.exe
PID 684 wrote to memory of 2808	684	rundll32.exe	rundll32.exe
PID 2808 wrote to memory of 1512	2808	rundll32.exe	mssecsvc.exe
PID 2808 wrote to memory of 1512	2808	rundll32.exe	mssecsvc.exe
PID 2808 wrote to memory of 1512	2808	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a32ad2b83ee36582fc7fde744a807dbc_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:232

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2472

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
18f1a4479da2737c493df827d50e8e77

SHA1
d1b91f100c9291ce996a7156766e54d30914284a

SHA256
7da681ac7ff7bef8ff19b57f735c701af9525fc76a89342c6a27f3bda6d4360b

SHA512
c85b061fadd293351724abd751c58d6b3ffb9eb9f2d408890231077d40026d8deb8090fc6ff36702860f405d0b124874a8ab6f611b38c8408dd56d865db53b37

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
8f5ddac43bafb9dd98eb16e41e99b7c6

SHA1
7ab9d8c5dc1fa43bf73ce80d143126cafc3647fc

SHA256
9eac071084c0759883ef3d8d07410231b85f4e2a00e034f2bb904b6b172f0d64

SHA512
8d2a5de027582a566984ecc0f77e2312767947341b27cf5a463cf4dda897936a59fb32126966406a4cbd0128239deb53e040f615e2440efa92e51219409d3840

Download Submit