Overview

overview

10

Static

static

3

17170c1f16...18.dll

windows7-x64

10

17170c1f16...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17170c1f1663bdacaca24eaed2281aa9_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    17170c1f1663bdacaca24eaed2281aa9

  • SHA1

    f1ed4fc5b1510cd1316b70e4983c206ac8880491

  • SHA256

    e83bd29e930711a59ecc689134009dca11e954f4032b0e873af291d75b4bab9b

  • SHA512

    abbe062a8de67f75ae2bbcb7476ccd7e6a1e55479b88dc6ad08f0f427eebe6481546c5d3d43784d94b1f68ce125f50b406d8f314e2850a6e8265395d659fd111

  • SSDEEP

    98304:TDqPoBhQRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPZxcxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3233) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\17170c1f1663bdacaca24eaed2281aa9_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\17170c1f1663bdacaca24eaed2281aa9_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4408
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3388
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    5880cf6009b2b3cd51893b0c2c931b40

    SHA1

    16236d72b808efd99ffc40122438795a7217b657

    SHA256

    74fac56bc2a8cf61050e5665f8c8d027b2d08b19d07ec653528f6937192b3f7c

    SHA512

    17cc77a5b817484bdc5f2e14523009998dd366954f13a517eaedb7b76dc21a329b92d7f125ce72b6803982f58ccd4ca19945679016adcaaab7c8bc608e0ede9b

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    bf04d24e103bd90df3955cbd0a9ab0fa

    SHA1

    f62a37ffe2e1961aee9fa0ec9e7aaebdd9318a46

    SHA256

    5442f2caec423c11be2a9d023e91047097e0f0075b605ddc7fb722fe812ffddc

    SHA512

    e1826b17a7d297c08e9bc334176b00112c25525f42904ead1e3571dbbddf99fb53d34981015418af9f7dc57129d0509d3a3dc523bdcbf10021afc1fc1ced8c09

    Download Submit