Overview

overview

10

Static

static

3

58af071473...18.dll

windows7-x64

10

58af071473...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 05:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58af0714731eac2a433d683ea673378a_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    58af0714731eac2a433d683ea673378a

  • SHA1

    01958036854f3f55716971d09d8809c380d4ba8e

  • SHA256

    41a83dd328f86adcaa3c24ea9ca0f3f8254ebff3bf143ae050c43f1eec77bea7

  • SHA512

    a96afe040d8add23aa13d4f949b3dd206ece6c062ef1fc711ac360a6c9c31cebb240aeb362cce4c7a38e782f7cff713bc905eca6ed95e5beaa0279520cbb2992

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjGvk+RdhAdmv1LJMfcH9PO6L:SnAQqMSPbcBVQejPRdhnvxJM0H9

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2919) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\58af0714731eac2a433d683ea673378a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\58af0714731eac2a433d683ea673378a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2436
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2740
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    e6491d1e0a1f4922c34749ed8a5758bc

    SHA1

    94726f4af6cf955da96b5888df5605adcefb6aa3

    SHA256

    5ef98abc329cca92d972cc9d7fef49bd762f07631b8f3bb0183df4bfb3ef57ec

    SHA512

    6beee0559bf6e8a61fa14bf1ada2d8e69ea1dafc8e427ebfea6283130cd09ac4829fe044eead7faaea6890e36c14943aabb4c91453a4c1b0ddf7699254feb12a

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    5deb876be3170add4404bb31f0804fd4

    SHA1

    1efd4ca4c0ce81e8c91aaed9488331add0564b11

    SHA256

    5ce4b39b9488fae92e80f3b16f04f5a793da55af1e617fd83747b2ced32efcb1

    SHA512

    102256e3b59d08db64d240d969498ab1b55e092953ffee0e2ad1ea5554f7676eee620bf99f991040e8895eed93883a05beb70e4531fb6ec85f63dd7845b6691b

    Download Submit