wannacry | 9ec61ae7609b5b7cbff2fbb60574406c5fc57e365f6f4c16d8e11141c9e987be

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Target

ad5517a1eb752f6d23d69b2f7921cd48_JaffaCakes118.dll
Size

5.0MB
MD5

ad5517a1eb752f6d23d69b2f7921cd48
SHA1

c7937342d7bd4d93c502482a68ad5025b15e519b
SHA256

9ec61ae7609b5b7cbff2fbb60574406c5fc57e365f6f4c16d8e11141c9e987be
SHA512

739c9fa2df5b4c052a3ed3510d129e36fb1f6927cf922c07f2f62ab53e77455b80f36957877629f6178bcd53bc81f65291664ba4047fab0c2b307c2f9d6b272d
SSDEEP

98304:+8qPoBX1aRxcSUik36SAMxWa9P593R347U3Ra1rFz9TADyJxTazi9ozCY+Zu:+8qPg1CxcAk3ZAPadzRomoPLkVm

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3318) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4540 mssecsvc.exe
1380 mssecsvc.exe
3012 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1104 wrote to memory of 324	1104	rundll32.exe	rundll32.exe
PID 1104 wrote to memory of 324	1104	rundll32.exe	rundll32.exe
PID 1104 wrote to memory of 324	1104	rundll32.exe	rundll32.exe
PID 324 wrote to memory of 4540	324	rundll32.exe	mssecsvc.exe
PID 324 wrote to memory of 4540	324	rundll32.exe	mssecsvc.exe
PID 324 wrote to memory of 4540	324	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad5517a1eb752f6d23d69b2f7921cd48_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3012

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:1380

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
0a4adf5b8d5f7f2af6863aa0f6854805

SHA1
aa11d0acd8721050c49aa48653c94acc1e047441

SHA256
3c552e558a6a764b52eb7bd8f1be11a5dc8c6f116073089bae7601f686f6b0e8

SHA512
f31a0d60eb5e60ecaefd00e8f69e111106b8d2c08a461800e51a6a85e9653533829ab3b82f5b774f9f8f21d41028a45e6174f46903bd4877f2d14fa74bb4d883

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
c8c7248c812a1a10bbd0b5658256d3e1

SHA1
482c17052dd131e41e2e254dbb29347840f41688

SHA256
c531db9707938d32901b120c947ae646986d461e09619fb961dd4bfe8ca734dd

SHA512
ba4eb3f7b50fd0a9e58e0ad202b10dc419081dda9342ab0c51e06a307bd25cce69fedd3dbdf19228ecdf3d6892c18cf374aebd1b2cf4758d103d1da53f6db857

Download Submit