Overview

overview

10

Static

static

3

52bd09bef5...18.dll

windows7-x64

10

52bd09bef5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    52bd09bef51fdc8f27db1d866833f06e_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    52bd09bef51fdc8f27db1d866833f06e

  • SHA1

    2effa46e80d3a66a53a1a43f415c4383a2ead9c6

  • SHA256

    933d22e4dd68fe7cfa1d8a7afdd2f0a3aec97fbd0d09069a8667dc4f45c0c7eb

  • SHA512

    40fef4905591ccdd3db265671eb32d7eac3a2de03d0363b67cdd194db600965f091a46e7d8cd8c1519853aa58ca542761c4549e3cde257d77b9273bb6285f3b8

  • SSDEEP

    98304:TDqPoBhC1aRxcSUDk36SAEdhvxWa9P593R8:TDqPT1Cxcxk3ZAEUadzR8

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3287) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\52bd09bef51fdc8f27db1d866833f06e_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\52bd09bef51fdc8f27db1d866833f06e_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1984
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2868
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    e24f99d2f3d5748da8746baa26293855

    SHA1

    9dc544c10d8539e6673718d9f28e7675334ec347

    SHA256

    933bd7af869d16469fac1f38a7ce1f89907d0a0af6eb92d18d89939a6858dd34

    SHA512

    0158fe45aad4fb521fd0c0fd3c03bacdd2c5ea66e9f4b5add529ced6e452c91e3b71296472a671ddd4ee7e4743b6499bb23eb1eb87b6a15008074f807f135fa1

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    f35530613a65e4b78fd49fdc9ae2a761

    SHA1

    c5171833f01470d7f01bda118eec6fd457545c0d

    SHA256

    aba53ea94812a018ac00e9664c57d32bbf25922bb08141694fb65f493611248b

    SHA512

    6d93a906f3de70ebef2b793954c2660f6c51f25a20f7b1c8da964240605e36e9861c822c9b6ee3a2f8e2e030991898b7d9ff8ee220b2f31ad3b8dba4be3e1d44

    Download Submit