Overview

overview

10

Static

static

3

73331cde05...18.dll

windows7-x64

10

73331cde05...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73331cde051c30581067620c3eeb6bec_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    73331cde051c30581067620c3eeb6bec

  • SHA1

    c93c9b7e810e5d2ce1b577139d5e96802b539cc2

  • SHA256

    62fb410164bc67a5c81c285f49c3ae5f89135e7c2ee5330fd502f316af10abfe

  • SHA512

    c172a37078f0104e3046c7ba7142512ae6041b8c6041c0cd4427f22a8aeb344989b5f29295862e76f0a9a6bf8e50db77c60166bdee9511c5a751093d93b54557

  • SSDEEP

    49152:SnAQqmQejcNRx+TSqTdX1HkQo6SAAIvxJM0H9PAMEcaEau3:+DqiqRxcSUDk36SA5xWa9P593

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3183) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\73331cde051c30581067620c3eeb6bec_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\73331cde051c30581067620c3eeb6bec_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1680
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3028
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    ac08f2b382b38e4eb13414dca939c8c1

    SHA1

    c0866c471659b277f4b8dbcf5888a77694894261

    SHA256

    f17029a0781b749050cc56757875232e375459c043ef3b042f2ec32d1d4dbe9f

    SHA512

    c038c2835f8215fd867e669ee076b9dbe98ca81e106b30e75eed821f02680274eb0cb2ced1c8101f281c4e875e0a5075aa9d40f9d847bc3c2b81e9e685584371

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    7d6ec20aeb4931acd69f970369797149

    SHA1

    fba3f597ddbeab4d540942e5061be45d739d9de7

    SHA256

    f37d14ebc85c29ae9f0dcc5d2522e7ac4590c199868b497938a77644002d717b

    SHA512

    2804021e9484d240cd9e8e3d40118d0568ff317997f5852bb8bad120bcbf1fe163c0c71a6b3ae5e8a323ea4224438c0e524a5f7bd0b5dadb098f89dc49ce216c

    Download Submit