wannacry | 74456df3eab31876c8b4394635aa541567bcef501516ff92676ec5b475790437

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 08:32

Target

a8bff7f3bafcdc471d9d3e17bc359cf1_JaffaCakes118.dll
Size

5.0MB
MD5

a8bff7f3bafcdc471d9d3e17bc359cf1
SHA1

f5202f682f8448f611ca4f93f12a7213677f9e9c
SHA256

74456df3eab31876c8b4394635aa541567bcef501516ff92676ec5b475790437
SHA512

e940846a5a16dfe5d7d3a8b38b4599b2bb17b79cac5267e54f25c860d2f74cd6f4152276942126f3c88e1d1680f032342441a605f3053f64c6ef300b8b345d2a
SSDEEP

98304:T8qPoBhKcSUDk36SAEdhvxWa9P593R8yAVp2H:T8qPLcxk3ZAEUadzR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3359) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1460 mssecsvc.exe
996 mssecsvc.exe
3796 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 728 wrote to memory of 3248	728	rundll32.exe	rundll32.exe
PID 728 wrote to memory of 3248	728	rundll32.exe	rundll32.exe
PID 728 wrote to memory of 3248	728	rundll32.exe	rundll32.exe
PID 3248 wrote to memory of 1460	3248	rundll32.exe	mssecsvc.exe
PID 3248 wrote to memory of 1460	3248	rundll32.exe	mssecsvc.exe
PID 3248 wrote to memory of 1460	3248	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8bff7f3bafcdc471d9d3e17bc359cf1_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3796

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:996

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
9d0c5e55fcc131a2b1367e47906d3d07

SHA1
e18444fb0d57ff035da202e445dffcf8ad3e1ffa

SHA256
a242d6d30d943d2bfddfa65223bcca53760ecfad31a6ae2b630242a999aa8d43

SHA512
c63a2fdb193cddd9708da00775be20ef9023f7a4ae120aaa805f4ad306ad55a937b6fab35ad340822dd29249d0cc71d7c8b03e63a540c0fe2b6ad7fb72f2b3ba

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
cdebb45bfa5f10b0b831bf9fc498a696

SHA1
a2e961203165d923296f14f22142eacebcf22fcf

SHA256
afc7b0d1930a26180b40d2fcdd2c84521ac64962736bf5003a91f3afa709a5fc

SHA512
da909d418089d60c2f055c77aca29a5d6ce4a9c63c7588c6489c31e6108bf4e5e6a4772808ed0bfc3def938c72a2109c90f00870ce4ca456b388553694b8698c

Download Submit