wannacry | 84a4c8ba9eaf10dbc9a9a0e29d69edcb4b180bb60d406db1cc8a827bf32abafd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 01:49

Target

b12f2bd32267fcb3cfd0a96eca39500e_JaffaCakes118.dll
Size

5.0MB
MD5

b12f2bd32267fcb3cfd0a96eca39500e
SHA1

e5ac663773e796118c7dedf5fba0bd5c2792b566
SHA256

84a4c8ba9eaf10dbc9a9a0e29d69edcb4b180bb60d406db1cc8a827bf32abafd
SHA512

531cc6ae5cd8b922d258f80c522e05f1150553c656ce06282016f0e548a7828aee888180c7bffa18590cbf14a51371176d938c05ce785ee1ab3d68cd8ea92dfa
SSDEEP

98304:d8qPoBhz1VxcSUDk36SAEdhvxWa9P593R8yA:d8qPe1Vxcxk3ZAEUadzR8y

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3236) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1492 mssecsvc.exe
3416 mssecsvc.exe
952 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3128 wrote to memory of 2388	3128	rundll32.exe	rundll32.exe
PID 3128 wrote to memory of 2388	3128	rundll32.exe	rundll32.exe
PID 3128 wrote to memory of 2388	3128	rundll32.exe	rundll32.exe
PID 2388 wrote to memory of 1492	2388	rundll32.exe	mssecsvc.exe
PID 2388 wrote to memory of 1492	2388	rundll32.exe	mssecsvc.exe
PID 2388 wrote to memory of 1492	2388	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b12f2bd32267fcb3cfd0a96eca39500e_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:952

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3416

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ec3bcd8847630c0d651d416187920200

SHA1
eb265d84241616410370c4083c7a0af5888fd9f7

SHA256
516a219aa8c07e01030d9eb2a888958e0a7efe74700f9c46c4be19b2392d1cca

SHA512
e735f9cfd86b1fa592f2a58a39aab676f525c14891312ef60079043b80ab4995ee94ba392e93a8f5e272a1a4466979b1585eb886bc01e8fd8cae0172e2ce3c14

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
17767b615d49f953221d981bcd79998c

SHA1
94f6547f6ab4367a6358a7534ba531909aca4385

SHA256
2e9125b6f065a12a217dbc339e29805a7dd3f5b5df40256306879e930f0097af

SHA512
e5fcd3ec00a471b1e8756cc16574c8cfdd99c655d4b3e013abecc3eb2fb45a3f31d484579dc6786fb8592b1964ff798a19e3ba19be1a7e09aa73f74aa149bc22

Download Submit