wannacry | 1dd001ef5ae3fdc07d44feae5246b23f199e01ce4f7e2b7dd5a354f7aea227fa

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 00:43

Target

62186bebffffcfafb1c70a8ff03fa317_JaffaCakes118.dll
Size

5.0MB
MD5

62186bebffffcfafb1c70a8ff03fa317
SHA1

6fc4434a5fc48ef8c1792f8d7ca49cba14556378
SHA256

1dd001ef5ae3fdc07d44feae5246b23f199e01ce4f7e2b7dd5a354f7aea227fa
SHA512

8cb8d6f6e26cf4e5dd9a894025fe4c8063f3c13bf52a4b0faefcb27f1c95ec2121d9f8d3a4365da34483061d69f1c0da639fc7429a49e4091a2a35dac5775135
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARd:d8qPoBhz1aRxcSUDk36SAEd

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2860 mssecsvc.exe
3364 mssecsvc.exe
2896 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2820 wrote to memory of 1424	2820	rundll32.exe	rundll32.exe
PID 2820 wrote to memory of 1424	2820	rundll32.exe	rundll32.exe
PID 2820 wrote to memory of 1424	2820	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 2860	1424	rundll32.exe	mssecsvc.exe
PID 1424 wrote to memory of 2860	1424	rundll32.exe	mssecsvc.exe
PID 1424 wrote to memory of 2860	1424	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62186bebffffcfafb1c70a8ff03fa317_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2896

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
PID:3364

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
929b5c4d4aa798214e85226ad735c229

SHA1
7d7f88545a844bd9e4e51263d8e3f2548e3d112f

SHA256
3d57f0bc2b6d14cf215d70d5f6e525622d1e451626c26a8fa9d2daf47de6c8f8

SHA512
fc89df57b54be5aef57fd9e2328bdc181895aee73813d0ecb867815e69d8987f084ffbb570f049c1ff371851500ef0121dd12ebe809acbc6cc2337203444353d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
db04f37a8f947c39285253dbf4eb490f

SHA1
ac9c6ae440c86c6df633c8c156809cfce4254064

SHA256
4038bd684b85e9451ca37e7233c2b39dbf0ad7967829179b75cafc0c661c986b

SHA512
b17162b1dfe12465e2b8fbf9f70f8e5a646a9798ff6625cf6181a62e65ebbd4a1773daa7cc954caf7bf6907c990b487847aa3a4cbb5cf6f5575cdeb5b1d09296

Download Submit