Overview

overview

10

Static

static

3

7e98a145a0...18.dll

windows7-x64

10

7e98a145a0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    7e98a145a032013ca69b2cbf30cf5f84

  • SHA1

    c955b774132b69cd7f38033827b4f9cb98666898

  • SHA256

    0fcd53a40125addbfa3bf3f66379fa5b0bee5019c4680940e04fdb8714202059

  • SHA512

    973a057545bc3d2caca6ace592e39aeda04a4184fac3bd1c00f385a64301f6b2e95a376cdf39c4bcf9d15348c993d856914699a1e087dfd6708bc60de7e191c1

  • SSDEEP

    98304:TDqPoBi1aRxcSUDk36SAr593R8yAVp2H:TDqPZ1Cxcxk3ZArzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3295) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:760
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2668
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    73f711dce0872d39ac4e7db8b9ca619c

    SHA1

    1ae464308025a7d376e4a20165eb02c2cae39c83

    SHA256

    f175fabaf90c262721a9882019b84fc9aa3f8bfee67fb176bf8448b76b9e1522

    SHA512

    1a51b4de8f3fcac1ad4d9b8816d448dbc971545d89658817bc7eabe6b9a362ebd570124894cadf570b2fe99caa2f2d75ac91c231e76a6693ba3c4963246bf4ea

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    fdee266283e705423f807589fb25dddc

    SHA1

    d5c05e0286323fedbe8b0e4b5043dccf7450dc80

    SHA256

    84395daa0e949e60a22310b591effbbb5787fe69428513445fa395726ab0f61c

    SHA512

    487a3f4bcfd4e77cf449e54581bbe06a457380a8ee818b8d20ccaa7359e254d00932bf4a2c6dac2c06745f7eebbf58ec4360c1af5a2fac769f84a6f4b273117a

    Download Submit