Overview

overview

10

Static

static

3

52273974a0...18.dll

windows7-x64

10

52273974a0...18.dll

windows10-2004-x64

10

Resubmissions

18-05-2024 01:17

240518-bnqpvsdb61 10

18-05-2024 00:01

240518-aa5q7aaa72 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 00:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    52273974a0123165fa8fbd867fa6dce5

  • SHA1

    35f1258534d55dd40ad036af00a7b82cb692843d

  • SHA256

    022c9efcf232fdfabcfba1423deb8ade3a49ae6480bddd4d58b4ca712e2ebd02

  • SHA512

    389091e8ebbbbeb2709bed52ee3cbb7149a8f4f283c49cbf35ccbc93437f3472a4c272ab401ca3f22eadcfce067bfde179a1be1a9dbf07aa6c8ea53506ca9744

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIwQ2bYy:SnAQqMSPbcBVQej/

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3170) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2196
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2604
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    4baf69383a9fc1b6da854b63272e300f

    SHA1

    08ea3eb52583c2fd25ee7dc6a19ef5fa6c199138

    SHA256

    04910bfe3dab5e3d912b28c4c94614d9b826bb261dbe5135e3cca5f854624221

    SHA512

    13f6995db6ddb62f3731105af44cf500daff1f365324c45ce24da2d9026f853db57ca2a9e3a1f29e5c87c9f2655a4b6a6f6b5f761e93b1f541b4752559cd9278

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    c5df4ec60f1f3a939577111217672171

    SHA1

    0eee00b69479940e562650d8fa31f7e89678152f

    SHA256

    8ff377030e6bc316de9d062090a780542d7512ca4debc1e21c78f5a4720b7d2f

    SHA512

    2f9d784fde6ff56cbc2c1e355c7a2288d34722b0f8adbe9c50ddebb4cb0380f926323f83222f8182c101d2190a7aff7f9f0f67c96ce00a20a9e7c8af9248c0f5

    Download Submit