wannacry | 60abe02f78603cd907bd7e31034b1b075f23484e357171b578b8d2a8c2c7158e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 06:39

Target

a43eb0cdd301c00329d39615995a108d_JaffaCakes118.dll
Size

5.0MB
MD5

a43eb0cdd301c00329d39615995a108d
SHA1

04ee7ee47bb9b6b54a9b95d594c6cd80e4df87fb
SHA256

60abe02f78603cd907bd7e31034b1b075f23484e357171b578b8d2a8c2c7158e
SHA512

ec70cb89110800d8dc72c9cb6741110cbb27ef5c4238fedf5671514d3291af74caebe971f2afa5ed716b69c7208b86b4ce52a4fecc0cf2dd79b4596b6f65a48e
SSDEEP

98304:+8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8y6p2HY:+8qPe1Cxcxk3ZAEUadzR8y64H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3386) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1384 mssecsvc.exe
1128 mssecsvc.exe
3524 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4348 wrote to memory of 3596	4348	rundll32.exe	rundll32.exe
PID 4348 wrote to memory of 3596	4348	rundll32.exe	rundll32.exe
PID 4348 wrote to memory of 3596	4348	rundll32.exe	rundll32.exe
PID 3596 wrote to memory of 1384	3596	rundll32.exe	mssecsvc.exe
PID 3596 wrote to memory of 1384	3596	rundll32.exe	mssecsvc.exe
PID 3596 wrote to memory of 1384	3596	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a43eb0cdd301c00329d39615995a108d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3524

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:1128

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
83521f8fa20fba83da26de14c38c4951

SHA1
fe70f7fc040e903f07e8679a6d6ad926c96e6fde

SHA256
bc9a1427e94f65030cb197be5ff83f8f10bfce03e7616913df010939b537549d

SHA512
f743544d40403fc16486d348bb73204bb426db0b597d03c60df60a08da6ccb625c26dfa280d321e5617104d01628c3c6f7fe2b287fbeb651c9beec3aa5fd07af

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
499a105155b33317db4bee825d56bc19

SHA1
32f780e081ba667741cec15eb009dbe4c23fd5d7

SHA256
60c16580732d0bcec85d11e4afcdde0943c354588eb67dc45f05de161e384020

SHA512
a6461ec10a0b76064d1b5f5a243d24c60deabe4c24650b203efaf1ecebac91c9a76a37980211c48f4ce74d41b8112f4b5628ab6f502a1e2412788c84d690ad36

Download Submit