Overview

overview

10

Static

static

3

8275711302...18.dll

windows7-x64

10

8275711302...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82757113021bc81bcc9dace94d7d8726_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    82757113021bc81bcc9dace94d7d8726

  • SHA1

    24caa6dd2f562a46bdf5031ad6bfa2160d4abb7a

  • SHA256

    0057bcf838743b5103b1778e94accd5aec82bd22f55a5734bd18141a4717c21a

  • SHA512

    94587ffc5c01496625b6888a90a7867ada021d28fc22cd386f3b656db7676d041046848fc8fb9cc69e2b9301db5359f7a73d5632bb6faf718d8b29444c0846d1

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRK9PAMEcaEau3R8yAH1plAH:+DqPoBhz1aRK9P593R8yAVp2H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3220) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82757113021bc81bcc9dace94d7d8726_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\82757113021bc81bcc9dace94d7d8726_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2300
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2620
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    91f86c8cf2d0cf260ddeb53320b1d520

    SHA1

    5fa35242052b381269be86eee0680fd4a71ec06b

    SHA256

    09d251770c1156ad754725b1691d7d529ec4ada2926a2663b5ab408a8734e547

    SHA512

    9258e65eb7dff1e004ea4bb4ed171d6a25a1e8d34521603c7d54487987aa32f2c54b6216708c358262c90a7365ba8475d35f6ddfdc89c782a36cd421e1005984

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    c74de0e7c8b012d9f50f24a6bec16a5c

    SHA1

    b75a5ccb3afe0d3874ad3870b1379e8de348604b

    SHA256

    71c9cd49a782c4a67f2dfa686443a835e27f858c54a70bee2bf6c02d69b5111a

    SHA512

    25b6e91942eb70c63f74d3652ea80f6588f39ad48d89b2efcfaef5809a4a8e96a22a854dd7f377e6d40b14285aa47081009ed6761256a7c1946a3726e388eca2

    Download Submit