Overview

overview

10

Static

static

3

9075df3b07...18.dll

windows7-x64

10

9075df3b07...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9075df3b07f0c4a8456d8c0a4ee238a3_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    9075df3b07f0c4a8456d8c0a4ee238a3

  • SHA1

    146bde116d5db4bc3fd267331a0bc471e76cf383

  • SHA256

    a29bcd2e4bed2070694649cd396fc55ec9ea8d85ac353123e1300822de6f35c7

  • SHA512

    2ddd4a42df2b65bbf6384da04010bcd71d262c52f7cf4d655811f7cb7ba9ff10579fbebf095b47df79368ce876d28b9f6ef5d4d88e3d76d09424898fd27df704

  • SSDEEP

    24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626dhWRgImGt/8CatZK:znAQqMSPbcBVQej/1INRaQyvGSIkI

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3273) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9075df3b07f0c4a8456d8c0a4ee238a3_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9075df3b07f0c4a8456d8c0a4ee238a3_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2032
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1744
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    d0ed5c9985c0199e7369af95e02a04b6

    SHA1

    224c45266c93c34b63a21bd32cc43d0d88b21997

    SHA256

    6d781308531574bfb81814afbc274788e5bcf382f49647f75d34c64c3964dd18

    SHA512

    30de7972cbd6427add8ae2f90ec39ddf5b5880186aa83886abea0849edc13dd89af801ce5f16108730cf1a024ce7e6dfa65da9ae00c7a842bcdfa5c05e6c24ea

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    aa006359852192bee5625567bc884a62

    SHA1

    1892f556af3b41fc9abe57542b6a031d2706b34c

    SHA256

    4f5642d36690d79623dd0bb89cfab51e61216f8bab4323ee09a98005a0756fda

    SHA512

    41c603812d893cb3b3425e7ada17835f53ede64ce64a78c8b56dbe455c7dd439d3c6d3e29d36699b765ad067534e54304adcf0d128299e3d0b416f7e3c645364

    Download Submit