Overview

overview

10

Static

static

3

11e240d70f...18.dll

windows7-x64

10

11e240d70f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    11e240d70f2e38cecfba1799d8046678

  • SHA1

    33b54e5eebec3eab8fa7159015984306fd53c8cb

  • SHA256

    d3d6fe7d340bfb8fdaa8be94c959099d860ea3c745ce3a15ac5c21078accc41e

  • SHA512

    7b83a0570ee1ec3b11cd1d0bc4ffe14ccf8657fb3a37871be47307a69214cfdbf4920ba05b2cce1d7819609160e177a3db3662f8b3a7b8a3ac04350bcd3d0a32

  • SSDEEP

    98304:d8qPoBhz1aRxcSUDkydhvxWa9P593R8yAVp2H:d8qPe1CxcxkyUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3113) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\11e240d70f2e38cecfba1799d8046678_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2544
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3032
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    6edc22d530ba8a8c3de87400d1a3c762

    SHA1

    83975a8e5718eb954ccba19f497a16c75c361cea

    SHA256

    ed59f9f12b99554ead96ba5351f9413654526e6d67c54594fa051d61bd53cd12

    SHA512

    ce8eb2fb1d557101a9c16a6b52eedc18ffb30d34cef10f5e2c3cd5d740ac4a9e794f4446efedfff9f22a9cd1a715d0f7457f7284554c8d61d350aaa530d9ef4f

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    407207ed2f91fcc504c3c872020debba

    SHA1

    7d493a63fe1ab5ac8102a2c54130115b4f3ffa4b

    SHA256

    ab6d965875faa63059f57ae3772f92935bf360ae681a009cac240f05020d0617

    SHA512

    18be7d0ca0dc4f4f78bbc2e330802f624eae9ea3e47f23be9d1b6387631ae31d99155659a5256501e5ce68ad7ed5a6baa41115ddc00f77f7a906402779fd1d32

    Download Submit