Overview

overview

10

Static

static

3

20520a36e7...18.dll

windows7-x64

10

20520a36e7...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20520a36e7273a3b6128369fa72c1aa7_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    20520a36e7273a3b6128369fa72c1aa7

  • SHA1

    02276c660f3622a32ed8c5ba9cd42a42269e2a17

  • SHA256

    05db4f6d2715f067d3b212bbbd91aafc4a6d66316ddd6e7e4a523f31841b4bc3

  • SHA512

    bcb2aa934e58f3f48c59dcf3c24ea41de1e83510382d790cd5b152161b037ee27c59bb546cbc82e0933782d8d0761a808ff9ce00fa9883907e7d7f677a6111f4

  • SSDEEP

    98304:TDqPoBhzPyqRxcSUDk36SAEdhvxWa9P593RzPfwo:TDqPeaSxcxk3ZAEUadzRLfw

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3232) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\20520a36e7273a3b6128369fa72c1aa7_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\20520a36e7273a3b6128369fa72c1aa7_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2040
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1968
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    448KB

    MD5

    28e3300eab6717ad6c82b806b3c2ed5b

    SHA1

    57a039778942f4bcf552a1f6fe026f5d95743740

    SHA256

    3926aa857d3ed3395fb57da8a0936e250b05609af999d82b64c5526eff276d3e

    SHA512

    dbb51ec27cb2d139f6ceb6cac2f1381a4ab1383bd08cde61964bef657addd2073e65494c01605f429238cfe31c591461fd648980541afaf643d801753696fb5a

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    576KB

    MD5

    e8c39c862793599459a8bc39ccd156ec

    SHA1

    d5f2d7b50dad156c5ee015ecafb70a67d20975fb

    SHA256

    171ab324ad9d258ab2036302aa944d23e4184d35b5a48ab171a09dd46e1eb8ba

    SHA512

    c2d448f84fb6b35213bb1aa1dff4ae0571982c7f3efc1f21921602ec54f9f2cfef56ffaf8a13bdcd981c41ed6149c7eb28fc0d7ecd8592266b164a7e25f962b8

    Download Submit