wannacry | f31c16c9f5ae0e9564a430f12397013bc4777f791f63028a44aa39b6086df60e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 14:35

Target

aee29b9f1cb36e0f7122330b4f762a4b_JaffaCakes118.dll
Size

5.0MB
MD5

aee29b9f1cb36e0f7122330b4f762a4b
SHA1

bf0897a259777e34fbd328ac42d9d75bebcd59c9
SHA256

f31c16c9f5ae0e9564a430f12397013bc4777f791f63028a44aa39b6086df60e
SHA512

73a4bf011ce07f3fb8cbc82ae09980af27357394cb5e5fd6c4e251a7e5edc2d586a33658c7a8ccdb55652d6f4e947b1f0a4f574b706ddaf4d6e41f0f6fb3530e
SSDEEP

98304:d8qPoBh0yw1xcSUZk36SAEdhvxWa9P593R8yAVp2H:d8qPuw1xc7k3ZAEUadzR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

640 mssecsvc.exe
1420 mssecsvc.exe
1160 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3256 wrote to memory of 2044	3256	rundll32.exe	rundll32.exe
PID 3256 wrote to memory of 2044	3256	rundll32.exe	rundll32.exe
PID 3256 wrote to memory of 2044	3256	rundll32.exe	rundll32.exe
PID 2044 wrote to memory of 640	2044	rundll32.exe	mssecsvc.exe
PID 2044 wrote to memory of 640	2044	rundll32.exe	mssecsvc.exe
PID 2044 wrote to memory of 640	2044	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\aee29b9f1cb36e0f7122330b4f762a4b_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3256

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1160

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:1420

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
22dca33e86792bf66cd7020697b3748b

SHA1
6bf7ea26f0db190acac8b46e7fc4745b8e43dde9

SHA256
6f4cc9028d5ac3c289b85dcd1224ad106f359e25bcabafa5ece05c3986a1ceb8

SHA512
3bb9e019d1d40b7503a29b262eb43d636419ffcae1b4c7e4ca78585396cada09d7a00f1721fe38a06297cb24972369174d50c92a6277a025f7d59480a84f9182

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ab6797e870f96ce8191e99cf89b5422a

SHA1
a158653cd1f12df06a154f36c617ca9f96089371

SHA256
166905b9a18d99575dc18292a915532d5b654335ab3ddb186a2213102ef8a20f

SHA512
c737f4518a8013d0c5205efb83c72c7630a3209467abd2944b3d2dfcd95927cc187ced3c7567cc2df53319a16855573d9fd6c21f29bbf4fb000f7059713d8936

Download Submit