Overview

overview

10

Static

static

3

2fe52d89a6...18.dll

windows7-x64

10

2fe52d89a6...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    2fe52d89a67c9906720d04670dcfbaee

  • SHA1

    0b661cade27f643d76c471db33729a8b795639da

  • SHA256

    27f6f8bc00bde8c8c6b5692388bf4458131a940814a1a903065bfdc2cfed0fde

  • SHA512

    f719bec24ddc570b30a529746dc3c68d6d81604efa9e0583b35c77cfe3d60824f3390cd8bbdaa9294c0f8781d2eff79ed7ac5ac1643c42459afb03a3374a6fd8

  • SSDEEP

    98304:+DqPoBQ1aRxcSUDk36SAEdhvxWa9P593R8yA:+DqPn1Cxcxk3ZAEUadzR8y

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3337) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2268
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2808
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    39257dbef45a759e3c44d0be045d8d61

    SHA1

    f75daf7947b40ce133359a29d84469b833f69a20

    SHA256

    ed3cb02276d4e304a8403ee3ebfb156e5b46e739f3e72cf91dd42ae9bbbfc9f7

    SHA512

    e06c4f54c854aaf76bb240457cc74c2bdeb26337daadec480b074719737a0993bfdd238f9c768a25a2fc37f06dbd6971ad185824875b086b4894a4237032d133

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    6298fb6f109a807ddfac1f8dcc014335

    SHA1

    36ad7ca09f15a364f8174df1f2f0b559454464c6

    SHA256

    a4ab229ff389272762db421d8591db5b272b8aa831823df71ba35fad98d7ba1d

    SHA512

    0eb439156c26088ec3516f472b6d05311b9cef226dd249d2932f4cd267e122bbc44cec031b924f8053d6013f9f34ecaca5ee874ee01cdd2ed662a9535549f345

    Download Submit