Overview

overview

10

Static

static

3

88a5b67273...18.dll

windows7-x64

10

88a5b67273...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88a5b67273b8a51d3f4fbfd4b2136ae8_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    88a5b67273b8a51d3f4fbfd4b2136ae8

  • SHA1

    2a51d83b5a27be37d3074f4c2bcf94a89c2d0821

  • SHA256

    98ed58ffb88ac0656e8e53ce2c177ec4ad8b237b7ce28e60dcfc85668669d487

  • SHA512

    1a618d658c2f3d988cf9bc2eac8a69d8114081ac113ede4480ccaeef290b9dad7e98fc386ed396d63ac208333fa60c3aca6c38b9bf3ef4f76a2f0ada86a30a9b

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa99TTKH2ORi8:+DqPe1Cxcxk3ZAEUaHTy2

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3305) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\88a5b67273b8a51d3f4fbfd4b2136ae8_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\88a5b67273b8a51d3f4fbfd4b2136ae8_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2144
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2448
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    8d5e68fbf80ef3ce211c7b63b1d9fda2

    SHA1

    76d6f2fd29296dee7bfdda4f905e03e4eb754b1a

    SHA256

    0a33f43fd1c516b4f6cdef1a1131c701e4b660f0c7318b52dd643d4e0c65922d

    SHA512

    1da54d41be37ae7597bc6a8301c062185d103b6ce920c1ac14cbab6b32e03981b39be094efa45d8a7653a2f4d1f5868bd5d5454a8e3b985b7482337cf89fa5fb

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    a1e7a2859047a51c9925212e5d549846

    SHA1

    1f6fc9f4d36b091d642c8879721be425da54b16f

    SHA256

    a184eccf04d4b905cbcc0fb09b9f1b33babf619202fc80ede41ed02fc344596c

    SHA512

    63f2fc9a15172bb65916c2485126a02f0e8885f86ed24759e075996d9f37d7efbf4a131d9e2e2d856497e560c6c8a2386b0a4f0046730834e4f075b6abb109e1

    Download Submit