wannacry | 7f33873f415e0d84c4504705b7d5959845a81c9cf086b08587d4f2699337071b

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 08:36

Target

a8c326e0894458b54d3b2f3e3cf53ae5_JaffaCakes118.dll
Size

5.0MB
MD5

a8c326e0894458b54d3b2f3e3cf53ae5
SHA1

b52dceed397066d4dcd63a592e275d3710512b4c
SHA256

7f33873f415e0d84c4504705b7d5959845a81c9cf086b08587d4f2699337071b
SHA512

02c54ea84212513e5c4974b2128d40d0668605e8f4e1f451891bf554a7695dd3d809ca536aab96d4b5d9b182106de1a34f21dedb13b0dbab4244c2593b99ded6
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3361) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4952 mssecsvc.exe
2684 mssecsvc.exe
2188 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1020 wrote to memory of 3648	1020	rundll32.exe	rundll32.exe
PID 1020 wrote to memory of 3648	1020	rundll32.exe	rundll32.exe
PID 1020 wrote to memory of 3648	1020	rundll32.exe	rundll32.exe
PID 3648 wrote to memory of 4952	3648	rundll32.exe	mssecsvc.exe
PID 3648 wrote to memory of 4952	3648	rundll32.exe	mssecsvc.exe
PID 3648 wrote to memory of 4952	3648	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8c326e0894458b54d3b2f3e3cf53ae5_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2188

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:2684

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
a8433cf4a2edb88d554bd3eda73bc75d

SHA1
e14490bd4d487d1403e970e26249ae971df1d685

SHA256
85bbf60d6c77f59de24454f9caa63a73f2ceb542a37bde0b7008807da8d6ccf0

SHA512
581968740f31fccad4f273d9163776f84c1e5be06e7e8d0c445b463e42e44c5ab9937bc0d6678c9853629b3adb0dad8927c046fa93dacb7ac75ab11745ca0c67

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5786aaa4f672424a419d66f9a65043e9

SHA1
86b52a09ece20c196e68346da54f85ab0d1d0a2b

SHA256
1f1ca962967b9e36dc4080039cfdeaba354b88d7daa0767259d3f2e92b695b22

SHA512
d317304be1b09cde275bbb50f04f6c6c39b08b0f215d72cfdbda10a08f04822319e1362a224b03bf45a7c51e18e312091e2cd1cc835f823ac032e98205993cba

Download Submit