Overview

overview

10

Static

static

3

8f82f0fee6...18.dll

windows7-x64

10

8f82f0fee6...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 21:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f82f0fee6f8bac750ca3685435877af_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    8f82f0fee6f8bac750ca3685435877af

  • SHA1

    4b96c086e8af1de4d12dec649c7a1e1d9c37c496

  • SHA256

    4940cd65dbf580e56633d052179bd0a9df2c5e41781c66db3ff197b80c8d0edf

  • SHA512

    9a489d18033aef4dbf40f4f2d2fca80672896869068c62d4acbe7ffb32ade4d960d5408c47be2160099edde639b00f2cc56b7a0a7dfbae184505a12679dc3cd3

  • SSDEEP

    49152:SnAQqMSPbcBVsZ6SAARdhnvxJM0H9PAMEcEEau3R8yAH1plAH:+DqPoB+6SAEdhvxWa9P5n3R8yAVp2H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3269) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f82f0fee6f8bac750ca3685435877af_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f82f0fee6f8bac750ca3685435877af_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3040
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2632
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    f24df863ff0aec51e50bef1631aad91e

    SHA1

    29e4df8894fbca22d91c4a926b4b066cf788b66b

    SHA256

    75d35a6428a073f9d06193777df4998a73a6fc5fd1d3772027083f02a9a8ca96

    SHA512

    20991c55a0b5d2903ec686db641d9d4b8bc50fbd910b5b79e513aa34611a607b458092cf14e11d48d489f55b9164b1dad1483d34699a3e93558a6293f8f37821

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    27d35936d5402c27bc7f0ba2bd2647e3

    SHA1

    e4145a3d5d04f0ed4bb9b3ee1d52185ba8b2c298

    SHA256

    bb82a7c495994ff70cd7d067c7d396e39cb18f79b45ddc00815318ca04967170

    SHA512

    96504f4112822e30ea56488fdbf9c33914a1ac086851eb41e70a5f75dfc37e207cfa20efabaf7bc5d7f8e49d0f03f3e5338fb4fd544bf3e448006999326d2316

    Download Submit