Overview

overview

10

Static

static

3

2b5e4a20e5...18.dll

windows7-x64

10

2b5e4a20e5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 18:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b5e4a20e51f0f7bed2565c010ab1dee_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    2b5e4a20e51f0f7bed2565c010ab1dee

  • SHA1

    c5304256094a518eaaae1fbedc38043a0ce220e2

  • SHA256

    b92b23cfa7f789dd39d433b719e7dc35b9951572f89683b605eb7c89605f50b2

  • SHA512

    3a87958db4fc1f27869c0dbf8f61ced5afb6de98aa6c7c6801bdb04518712a1225859b371b3900518662c94985ca4d110715c1bb0138793128d6ea8d7f8907af

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3312) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b5e4a20e51f0f7bed2565c010ab1dee_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b5e4a20e51f0f7bed2565c010ab1dee_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4440
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4444
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    977621394af98d1f8662c2bc70b0cf35

    SHA1

    5747817e856b91b88b5a95109c42e2f90a732208

    SHA256

    fee9b88cad1cc384803a94f00fd14a42cf2dedfd0fcbafe6b015ba5cb6869477

    SHA512

    70b3bd576eaa1fac3ecedf3f47f54e20c9e9b360e94fb2de555e55396659fc6fa38f97380f9224a71a6d7505ab4973f900dc01ddf115f84c9bee72f511ec753e

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    8418e859695aa3b3d1065d45ab6c04c0

    SHA1

    e042ff2399094fd6900f3d742a61bb79a70cd574

    SHA256

    9063ef121d0e2aa30b0c3139238efd74349f929faa989f6137c42fa0fb2aa2bb

    SHA512

    061d34ee7651ed030c17995ec5ad64deeec552c129660eee6846d5a948e29d26832f0743abc279aa9ec0e13e402a3b3e429c4487095a6d33bbe27717b1d76b92

    Download Submit