Overview

overview

10

Static

static

3

172cae5741...18.dll

windows7-x64

10

172cae5741...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    05-05-2024 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    172cae5741578845025b9875ecda958d_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    172cae5741578845025b9875ecda958d

  • SHA1

    08ac3a671857efdd436ffa038b205d2ac0b830ee

  • SHA256

    768e7c17c3c95e8fdbfe517fd34763aff6a49c730c775af65414a691585d1b30

  • SHA512

    9e8c01ad064acecfdb1e56200e1a016ef0b6f548d69d0de68b270a5fc7adf21cdfb840d06884e6070d9393e83ac05b5d5729217e7e3711293caab302ec0639e4

  • SSDEEP

    98304:TDqPz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPz1Cxcxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3253) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\172cae5741578845025b9875ecda958d_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\172cae5741578845025b9875ecda958d_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2280
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2532
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    af8b2a8701a6ade0c8113988e45b4e6c

    SHA1

    e3e01397f5f3d2d58a86c60954fb06893138aed8

    SHA256

    1a5281967e3fd163b3260393201736910efd8aa683e364aa7a327e7db52f29d6

    SHA512

    bff785d9282c458f5b6825d3ee15c1b98c0b39d9d38f8311a40ef532472f638adb53a274ed08570e9ae7eaa411a41f8c100e0c5814ae2a0c1575d92403458e5c

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    9de4abd28019e64c49e745dbb210fea4

    SHA1

    9f7c19802b737b860f25c69c993066729ff894ce

    SHA256

    18c2c5c6962e53029137d4f20d46ce2b69ce3a2750a3262d9f78578daf64c2fb

    SHA512

    167f2a0b811d03ffb286191f4438baeb7ca09a26f2f93bd75f07937c487e66d9422e695f58c34530938cf8e2f5c51c82c183aa685c84ab90617590db840ebb5a

    Download Submit