Overview

overview

10

Static

static

3

8f5a868e89...18.dll

windows7-x64

10

8f5a868e89...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-06-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f5a868e8958068d3af0674ff3c24289_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    8f5a868e8958068d3af0674ff3c24289

  • SHA1

    28562bf6361ae36a4ec4963099cb8fc76a0e7ae2

  • SHA256

    5e1accb4db056135990fb1afc06296e66ea0ce7395599afda6d7468bdf9d2779

  • SHA512

    c83d94f466d44640fddae63ea1b4c7fe3314ebaaf86f8ed91ccd8dd83d5956bb170ec2ae2f9feb622b542d6ed5a29d61d17b52dd71fc0a0ecf8ef4085e3f4c65

  • SSDEEP

    98304:dDqPoBhz1aRxcSUDk36SAEdhvxWa9P593RzPfwo:dDqPe1Cxcxk3ZAEUadzRLfw

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3119) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f5a868e8958068d3af0674ff3c24289_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8f5a868e8958068d3af0674ff3c24289_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2280
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2680
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    700719a2b90655e334f915d05c5ec66a

    SHA1

    8b61fcbe344355c6d964b3046fe4ee70c2c62bc8

    SHA256

    814c2bc4ddc0dc5c88d352ccdcb29d4296e816c25c6056772d6c90a8af5b7a62

    SHA512

    ee6353ca81500e1c7965484993389da4a6a1fbd7ede9131664f22c5b04107af46d18db2fd6fb51a5cba017c2f51dae7add0f8b1fb2bd60018b74b0876c913cc1

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    e77b6f2af12d54a10c978b7f665c11c1

    SHA1

    2cf4a829a8598234f206d682b12387ef4017a09e

    SHA256

    edac81687e84c1433f1edcdbfb346a7b7fbb93365f98834fa6fc92821852d3e7

    SHA512

    81bdf8ea3f116c4921982901161274ff2e476003637fcc8b4fc47e3d29f6482ecd547d383978991ff8ff7474236595241a2dd99b975ace5dd4c8ee8125bf833f

    Download Submit