Overview

overview

10

Static

static

3

501dc5ce9e...18.dll

windows7-x64

10

501dc5ce9e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    501dc5ce9e1ef2b61cedefeb887e4bdf

  • SHA1

    c4b666275cca5fa6f45a72588b8858293dfc8322

  • SHA256

    67fb76c4fabd6e4bc050e2fc5dd3751b5d7d8e8eb0ef739cae9524e9f404c661

  • SHA512

    54fdfed9125c1d3ddea0c87bdad326a39f24a0aaa6e09356a17403bf99fae40f91b7c5e59820c8453d8f212d805c9f4b42f6d4c79000f24a31b18f6b83d6bdf5

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3107) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2364
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2140
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    1438b1a728e349833aefc78d2cf3444b

    SHA1

    a4e026c165c94dee9e4f23968376c0c5e663d2ce

    SHA256

    10848a23a4bb66b68e1e822ae097b20de861a21134043fdb7aa567437fbdd512

    SHA512

    67f2ade068270d523a709ad6e2a1f9e56ff2138bed1738660a143a56903f73c48e1e7268c4065c186c8343de1d649f12a4c15d56d32ed2aedf31c14dbb6f7c2a

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    23e2fc74db39af10ec21a185e98203d0

    SHA1

    927df4391803a683658fd6c741e2fc6159c25e1e

    SHA256

    020184730bcb72d346a6ceedb88f13e226ea037fea9116f92ba121d1452f0d4d

    SHA512

    45c29409448fccd138a5fb31bff1dae67b8d8f03c6d7a4e1a1598eed9cebb8f3e102a9355b59ef232485e32fda6ae4cdce6ce1fdadfe1b51756dc93b12646d0b

    Download Submit