Overview

overview

10

Static

static

3

1d96a9f2bf...18.dll

windows7-x64

10

1d96a9f2bf...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d96a9f2bfe3496c6bb39c3e79f748f5_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    1d96a9f2bfe3496c6bb39c3e79f748f5

  • SHA1

    4360eb97a5c0b713c9bdd1ed3d960d7d614c38c3

  • SHA256

    04a51580d079a6d78828871a7aab73a2afaba8faa0de0bd4efa1340f41412381

  • SHA512

    3b6e3b9098f8aec8200698ec13a5fa7d44e8e257372e6402c2a712126263fc375bd28fcba8ce7cc3bf73c96e38a3c85f5d68aad0f3902cc5649428aa892baba7

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SARhvxWa9P5wyAVp2:TDqPe1Cxcxk3ZAQadSyc4

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3179) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d96a9f2bfe3496c6bb39c3e79f748f5_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d96a9f2bfe3496c6bb39c3e79f748f5_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2612
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2584
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    f84958c6a860481f0099e57660879d99

    SHA1

    1ec123f80d5e34ef484036657561253e64c87518

    SHA256

    fb8039bfbc3f3eb5caaf249650fcb4137a3d9c4249834340d8b75935a4cafc57

    SHA512

    d9da7e74dc640ec6ff9f6eb5387e50fcf692f98c577c40c5b60dc44f2e152b170d9294d07062dd3692208570b57737c0be94e9d313fb46b071a6a0317f2abed0

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    39e672852115f1c5301911ebbd72b6e6

    SHA1

    bcadcfb65cccb81fc934e1dbf4c749ed0afdcb9b

    SHA256

    03ea5a167ec89a6552eeb1260f52d5803a342b04e3edef04037766dad3a2fde5

    SHA512

    e74fed5ac5781e32e9d33b4fbacfc2e051f330e36afb187e550e6828938f5f997f4e0b8d30f90f12364e0c07743a1fcb81fd3c04cd5c7ed1a22f208c0d05bd41

    Download Submit