Overview

overview

10

Static

static

3

0c2beaa248...18.dll

windows7-x64

10

0c2beaa248...18.dll

windows10-2004-x64

10

Resubmissions

01-05-2024 16:20

240501-ttd75adc36 10

01-05-2024 15:35

240501-s1kstacd58 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2024 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    0c2beaa248280dae60f79a8a09da0bea

  • SHA1

    74b12baca9783de659de89d5db019b20149fa132

  • SHA256

    5a92c9540048d3f1e82fabe39847de099a3433e9e54e57067ad9a8e5b357efa1

  • SHA512

    4ce7cc15a380d34033a73e17ac49193a05a763106cc7f119687d47ed42017843f56ed3cd4d17594c0c3fd4e7b97e7c268a507fed7612df36f882b920c4be3616

  • SSDEEP

    49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhpfCfLf:TDqPoBhz1aRxcSUDk36SAEdhUf

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3281) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2244
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2584
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    94707536092fb8828badc0d3c5d15508

    SHA1

    a9f2364d6691b23cea1752040b64872f5f600e50

    SHA256

    8b7c5d74ae3a559b1976746fdff476ebf0d582a0ffd0558587587ac7dbfa4011

    SHA512

    bf08e940b5a979303451b59f290a3db8051d772b44c9dca3f91a4425b1781282559a31a886aa4ca4d037d039a1c36bc8b7e05ecb0f5f1897453d4ae543f439c4

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    73da17f53cb49be8d047046289cbb3ce

    SHA1

    c25808c947bb6fbf2360f06047997af803b968d4

    SHA256

    6188c7b048573bb745fdc04f2ef3723e250d9320ae06289e3a50094412535220

    SHA512

    a8eda17180de9af6c7477e97a67f5b83322f9dafd4f40182f1485e4c1e7eedd7513c85e7cd18d8a3164690b3b34e205ca66cbd1c1698765c2067953f8a7cd313

    Download Submit