Overview

overview

10

Static

static

3

7ff896ee88...18.dll

windows7-x64

10

7ff896ee88...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ff896ee88282ff5ff92801df4cbc9af_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    7ff896ee88282ff5ff92801df4cbc9af

  • SHA1

    e3615ebca56dd130206a1e3e599bf7ad3daa812d

  • SHA256

    4a25b0b979bebeee43eaf893255d4eb251c615a2c59c31d463304d1028bdc788

  • SHA512

    b15e05ea69740f244379d07c55c5a659780dbb93e9636b90846347dfbac5b45abf5bbd246fa0dbef5d05166e4bea15b95fa4c3810457b64b80d3a672d7cd8e82

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593:TDqPe1Cxcxk3ZAEUadz

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3219) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ff896ee88282ff5ff92801df4cbc9af_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ff896ee88282ff5ff92801df4cbc9af_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2188
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1296
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    44e30ae945a1aa0a5c643d7b8cf2a3ae

    SHA1

    ea5d8b7d6b12ad9dbc28797866b82b26095f8964

    SHA256

    8a5e2eac0bae219a6a8ce01e28c948bfa57199f762f49e4913a1f385aea3bdf2

    SHA512

    eee46e6d10a868fd00b34d58f6476ebf3b7182f35fc01dd4223b3dcf51d6a0667425f2743cebac37c7f7381178ea339a05c1031fb55063d08f061d4700ab1f3f

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    fc0195c3fbc9d1ba19811d3c36b2bea4

    SHA1

    d618abf74712f8730fbad1d0988d1c30e1ec036b

    SHA256

    0c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739

    SHA512

    01423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965

    Download Submit