Overview

overview

10

Static

static

3

8a5f1c167c...18.dll

windows7-x64

10

8a5f1c167c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a5f1c167c3450e13e06ecab6be7838a_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    8a5f1c167c3450e13e06ecab6be7838a

  • SHA1

    87db1835f6b7e4a1d2e3bf6a9f889d922a5ed213

  • SHA256

    2e9d8ca583fdeff7bdec78d707d322cab949a22fd487bce721a2ad2b8d8a548f

  • SHA512

    9df93ab449855b631084c785f00ccfb4b508a8d22d451914114c49515248fc359011be5715f39c3119e69a571e13fd1961b6de69e81347c0e181248ab7eeb063

  • SSDEEP

    49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAM:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3116) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a5f1c167c3450e13e06ecab6be7838a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a5f1c167c3450e13e06ecab6be7838a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2612
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2540
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    c9ae0f347cccf40cbc237beddac981d8

    SHA1

    02da17aa1ab0732385cc645a0f6f4da8c6b76789

    SHA256

    ecd829bda76a0df946864052d1d19f400a8c7b79c6ef97b0ce2f9c7b41d072c2

    SHA512

    d242595360e3bed4203da7cfd07b932038831e68e79ee07ef087cb52d138c806eaabac8edb8887c6942dc0c78be655a6d2481362d780b56f5943f781382161b5

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    c1bbf0090ee11089390daa14953acd85

    SHA1

    e08221568dfc20473b5d67e9ad38c2049df3a450

    SHA256

    6ea6ba48f602e2aacea73f1251cc6c4f0baff94cec3487cfee0e0dee742a3b35

    SHA512

    be9ffb7847d1953e8b52499eb795eae59857be679332ab88f0fc95493253c5fcad6b037cd026ba9fc1828d8cd9d8f19b63e0c602084ffbde257b9562fa6d6749

    Download Submit