Overview

overview

10

Static

static

3

2b6274ffff...18.dll

windows7-x64

10

2b6274ffff...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b6274ffff415749e57c77a8cbeba089_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    2b6274ffff415749e57c77a8cbeba089

  • SHA1

    aae04c554a19bd76b4723bb33d8da16a581a8910

  • SHA256

    059b2ace75416d0c63953cef256feb92b2d70dfc248c70e2100732829a8f8273

  • SHA512

    967a1e2edcc12a5249ecdaeb6f95245157b63e66ccb900fa76b430e2c97894e469f18507dea657681ec781246d87b7d6c171e237c7a831f83fdf1f37a9cd9f12

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAjgKM6yLx2+UO:+DqPoBhz1aRxcSUDk36SAaM6

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3195) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b6274ffff415749e57c77a8cbeba089_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b6274ffff415749e57c77a8cbeba089_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2268
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2592
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    463bb30fc2e8131b7985540f964d9117

    SHA1

    6e60430952d0654faf3de6257f892685df1fcc77

    SHA256

    3ffe70a250fba5e95b0ab39b88cbe86676cf9307defee95f9cbdfe198856164b

    SHA512

    250b70788f80fcdf867b213a63e186860c73b34b005fa6ea075453af931a1cd038b71f4f1c95c2c8c8c60def00aef89b29a724c7845c4887315ab88f6f9d5a03

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    fb434349b6e1732394fbf54eba084367

    SHA1

    d478c194c35a2c4f51301350218c568439f75516

    SHA256

    a79d32d0f232dc130dfae183b56a8c2bad5ab69c14d85df3fb303b3a4f896311

    SHA512

    d2dfe407ff946d7a3bd50f846a0e05654b9c15111dbd0ed7f07e7341f850d3471748b571a2d476db0bc37e8ed5e5b22638d2cff735a1c62bd5f48abd8328ec62

    Download Submit