Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3340eec1f9...18.dll

windows7-x64

10

3340eec1f9...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3340eec1f90de20b798e5f6c2a7b6434_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    3340eec1f90de20b798e5f6c2a7b6434

  • SHA1

    ba6ab639f7ddf21da263ac9c7a48572c31d87d10

  • SHA256

    2c5a1a2aea7f263f2cbb063f45badccd7165b35de48c67247bf8038ff9c2f623

  • SHA512

    541fe3301b13d69bf75c738f95919af2cb52e89911c9b9985403179d0d9efe14f8cdfdad8eacc128f8cb4f014a774726db3ab2de36e7c6b335beba53c532ea0d

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhn:+DqPoBhz1aRxcSUZk36SAEdh

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3128) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3340eec1f90de20b798e5f6c2a7b6434_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3340eec1f90de20b798e5f6c2a7b6434_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1020
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2788
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    4f8187f7307f33cd25935f5e880ee047

    SHA1

    984fd9e94a96d476a85ecb69bd08c390f29a3043

    SHA256

    7a76798a97e062a6dd903570e459fdbb9aa4c24410d6cce8fe0de2e9097df571

    SHA512

    7bfa53a6e63dc596a71191df784e09dd435bff9063fe8042c162d0c09e5f4f5713e39b9d32329eaf68cf4ed7fe1ba9e7703d3871394df8663a1ac1ebc3572815

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    b91800f044097d66a2956440ade809e3

    SHA1

    163381e41d1665d3325f0081b0feb83f399a117f

    SHA256

    324eaf7b3ecae86cfe0f4c27783e777714512b8b2a017314089bf335ecad7fe9

    SHA512

    a191ef5d5493949dcf649e22629d748f2059c1a5d95013ec1bbf9ad835e61e4e9d0cd7ad5df6e8e33c417e412256cb796c2576a5935860dcdc67d2dbb91177a4

    Download Submit