wannacry | 3cb1c3174967cd53f62fc9c507192c54a6558481a8c21649e8b6c223ece829a7

Resubmissions

13-06-2024 13:07

240613-qc213sthkk 10

13-06-2024 12:55

240613-p6ay1szcka 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5a47a2c7cf5a02d7d12d9881e32c089_JaffaCakes118.dll
Size

5.0MB
MD5

a5a47a2c7cf5a02d7d12d9881e32c089
SHA1

6efc62436c3645956d40f77f1046f971713082e8
SHA256

3cb1c3174967cd53f62fc9c507192c54a6558481a8c21649e8b6c223ece829a7
SHA512

5cf030316d8236eb809c083c64b604c79b536dc0e8250945ba83968836f95d034d59eb26c3403452b7929677f2f0892da1e4c16fdebfd14ca4c4365ef5426329
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAEAMEcaEau3R:d8qPoBhz1aRxcSUDk36SAE593R

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3280) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4792 mssecsvc.exe
3460 mssecsvc.exe
1708 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4792	mssecsvc.exe
3460	mssecsvc.exe
1708	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3792 wrote to memory of 4416	3792	rundll32.exe	rundll32.exe
PID 3792 wrote to memory of 4416	3792	rundll32.exe	rundll32.exe
PID 3792 wrote to memory of 4416	3792	rundll32.exe	rundll32.exe
PID 4416 wrote to memory of 4792	4416	rundll32.exe	mssecsvc.exe
PID 4416 wrote to memory of 4792	4416	rundll32.exe	mssecsvc.exe
PID 4416 wrote to memory of 4792	4416	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5a47a2c7cf5a02d7d12d9881e32c089_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5a47a2c7cf5a02d7d12d9881e32c089_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4416

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4792

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1708

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
efadee3c4fac2e5773fa9aafdfc41035

SHA1
a1514d4060c517f7b823ad95030c5bf3852f0a0a

SHA256
8d39318b7ecf23f85b205ef907097b2754372de4278949004ad8b9293267ccae

SHA512
823a460eac33692c1fb1fd3fa967e737dbdf8e23826a960a0d7719943f331dbf3ade6738426fe4dbe2b4edac966247e8eb7aac957037700234d2b5228fdd3ef9

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5df636c5b0c48d248f8bf1162293fdbc

SHA1
01ee4d8aedea0528f3b11c366b63bc9f32a95ce9

SHA256
43aef931374c4b1b00367c50ded7a594f5153a9c7fcacdcede55c3384e322b74

SHA512
237c095a595c6392f41f5f74418c04d3451446887ba1c15bc9c720bf6b9a834fe797883d0ccd629c18732bdadcb2265129cb779409b0c76c96019ef4dfd55471

Download Submit