Overview

overview

10

Static

static

3

6887821d15...18.dll

windows7-x64

10

6887821d15...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6887821d151dc76e97740655d040af67_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    6887821d151dc76e97740655d040af67

  • SHA1

    0d7915053db68cf89ac984975fe5eebcf4c0dbc7

  • SHA256

    f5e0b725d2fb35c1b4a9a2ac6efb3d4a3e7aa9fb9422022bc19082ef8190128e

  • SHA512

    bc1b6362d6f018cc43cf2f52a178ee20251d1099169c498e37216c82961291d3be91dc667866067a7cd809f6e9cbb39a1a9b0773b09c726136f6743597137218

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0qMEcpcL7nEaut/8uME7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVqMEcaEau3R8yAH1plAH

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3316) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6887821d151dc76e97740655d040af67_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6887821d151dc76e97740655d040af67_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1928
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2716
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    9d33bfa57dea52c3d1d21c2a0bb2bfc3

    SHA1

    1711cd3bbb91d1f82a5d9a465171343046f1f6bf

    SHA256

    e130372fc98f52cc794788940b75c8fb11017bbb64d1df9849752c23060ccd41

    SHA512

    38e431417bb941ccb21c29ad02068d5b6c6ec5bee451b4193cfdc6753b3332fe4bc8f9ea54a46b503fa8220e1d02d28d13b380b81ce3e4ee4d1436bf23ee4c7a

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    19cbe6b8c799727886ca99a69a320004

    SHA1

    da6f79f66ee82ca61c36d2b29ff09f6d474eabc6

    SHA256

    66d93625cd977147c28dc0bd091586fe6d5149ac9b8da6c89eba0b849f19bb62

    SHA512

    e70312e1cf2de6f5267aeb5e0a1572c2bc3fd436c1770d9d8c046cd08521e903baac9d3d650d255d968741de6b52ac33f99cedd069ab560f1ec5cf5feca2620e

    Download Submit