Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

200388c26c...18.dll

windows7-x64

10

200388c26c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    200388c26cb013ab659d7c77cfdc0b83_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    200388c26cb013ab659d7c77cfdc0b83

  • SHA1

    043143c6e15b1bbbfab1ad5516a0457205d3d913

  • SHA256

    3c90f3c70795e8c99bb55c49ddb8180ec3261c615e8b8fc9c0b14a4e58cb51af

  • SHA512

    b5b4112bfad9ac2fad3770088471a74332b2298cb6d7d4fb48e894cda7fd520ce8278c7c2f70e82ae6d748fa301b6f4ee8f82cf07af84be1d10a8f4ef807d146

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1oxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBhz1oxWa9P593R8yAVp2H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3318) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\200388c26cb013ab659d7c77cfdc0b83_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\200388c26cb013ab659d7c77cfdc0b83_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:388
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1808
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4448
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:3316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    77ea16b36102bf3b698299ebed64dbce

    SHA1

    53297e7aac45ac27d68e4170323ef02cb117384d

    SHA256

    bef31977a0c504261f9b67bf8dd09ffa6c7a8e4167da8f22cc51be757c5b832a

    SHA512

    20ffc5b41ac8701c561ffe10ca287cbd6b4eb2e838816761f34009cefdaf679c774177be4dc18b59baa06def72454ad99cda721f7d720f9344b3721fd7da0464

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    40bf8f3b18cd546fe6b8a6e50fdce2e4

    SHA1

    ce11d541947ce7d46c98d3c220e00bf6bbc9faa9

    SHA256

    e2eeb75402025a8cd8ee3a564d404f8fb8096feb44068e1df82445ae51b66185

    SHA512

    dfcbdb9f070edc7b9afdaa46e9002b000224fa1a54afafd28e11ade2227d13b495c4bea9f454505dba9b070adf6ba2f6fbba0396189ed11f569b3d0125333032

    Download Submit