wannacry | 71ead60c0733e8183627dff103ff724a9c60c836927d5243748b09de52cd036e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 08:09

Target

ad783fbf722b1db4fe8450ee66e5025b_JaffaCakes118.dll
Size

5.0MB
MD5

ad783fbf722b1db4fe8450ee66e5025b
SHA1

9d85bb023c3565d793558bdb77ef4e5e31d44d74
SHA256

71ead60c0733e8183627dff103ff724a9c60c836927d5243748b09de52cd036e
SHA512

d7a8ae5cae75f0be7616e18b9ad1bf368300416b547dda8012aa6e36c2f5140252cad0800b60b58c929e352361c33112bcb6df48b43593c089ef4973d1df57de
SSDEEP

98304:d8qPoBhvRxcSUZk36SAEdhvxWa9P593R8yAVp2H:d8qP8xc7k3ZAEUadzR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3351) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2696 mssecsvc.exe
4820 mssecsvc.exe
924 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvc.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvc.exe
File created C:\WINDOWS\mssecsvc.exe rundll32.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4404 wrote to memory of 4588	4404	rundll32.exe	rundll32.exe
PID 4404 wrote to memory of 4588	4404	rundll32.exe	rundll32.exe
PID 4404 wrote to memory of 4588	4404	rundll32.exe	rundll32.exe
PID 4588 wrote to memory of 2696	4588	rundll32.exe	mssecsvc.exe
PID 4588 wrote to memory of 2696	4588	rundll32.exe	mssecsvc.exe
PID 4588 wrote to memory of 2696	4588	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad783fbf722b1db4fe8450ee66e5025b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:924

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:4820

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ceb61d60078674ff69a430abf6657ad7

SHA1
5a7dd87f25bd07c0a51261af8d52bf31102d009d

SHA256
cbe882c23eb30d3b12e0c3b589a7ff6378c5efc8de75414a554292c572014fe2

SHA512
e724d92ad701e0c3b8e56196c126cb9691d42a3fac5863966cd0d574323b30e710738cd85f70ad7d85e07e396a3dbbb839d2a86617616271bcd5b27a77a52076

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
bff42f0fc080bf4aea86fc1dd043fd07

SHA1
c5befd5eda89e73b4d2d9c8b555bd3d3877acb80

SHA256
4e99af6c34a00f104e372d545f2295fb13a369a187d1183f97e7c96e4225a2c1

SHA512
203ca18be21e2894545ec628d99b99409c094b6fb67ad8a1e852180d271792dfad69d6c491d8467fb2f4b9cb7f48338ecdd4549daf838b7385f4018f7782e509

Download Submit