Overview

overview

10

Static

static

3

8932eb4a6a...18.dll

windows7-x64

10

8932eb4a6a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8932eb4a6adcb1f00e3ed8fe72af3324_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    8932eb4a6adcb1f00e3ed8fe72af3324

  • SHA1

    fe5c9cb3740d6ed10381a2cb1f6132a740059a94

  • SHA256

    7793ec935f7744363e2da33df49dbb9e9e71b35003f5a6eedec1c2b0007bb296

  • SHA512

    68d3f10e8f73f3d1de04693da8bdfa1db703e7c139b256c4a7af883873be7c44f0d1447ec8ef8d1b14c362d988a095751bd72067608593193ded80889d35178d

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R:+DqPe1Cxcxk3ZAEUadzR

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3306) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8932eb4a6adcb1f00e3ed8fe72af3324_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8932eb4a6adcb1f00e3ed8fe72af3324_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2228
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2648
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    60098f96f13ec5cec860d8c64b207788

    SHA1

    935cfbc9d6bb786fd9302d4f40030ced98430a0f

    SHA256

    23a8a51c01969975d4745a39d4788b9ed04d46bc18787d9273dfbd3f97608826

    SHA512

    bd8d27acacddbe0c24a4d61673128c2d78c5c3aaf013cc560105a277ea1414a7bc8fa651ac81b88910604ad2e0eb0f184163aaf68d20c53f38b662dcb0eab393

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    c91f708b05cc06b554f544205943ca39

    SHA1

    ec2bc4509e57213d1ae68889b0a4db06035eb1fb

    SHA256

    97cc09ddf777eed3e868ff151e3191fd5439179e44b24cf14b72bb7c54c31b82

    SHA512

    676ec83f97e50ef633bef575f210a5328b4f7a7e203c53674dd761afa48efcdc9fe4aa5cd56e4cf3fadab3147266807553f38a875e7c6ecfe27fbbf3715a5d20

    Download Submit