Overview

overview

10

Static

static

3

920f8846be...18.dll

windows7-x64

10

920f8846be...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    920f8846be4136bbd172db82715ed620_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    920f8846be4136bbd172db82715ed620

  • SHA1

    ba184c8d68968deeb7304a713fe67b03639a850d

  • SHA256

    ec4159621c258d5a426905eed5a43e4b7ab5a9d3be0e05a16622ebc430c56164

  • SHA512

    09cabcf9e67135de399221b3cf64de357914ac070393737be0f085cbca6ef94ba0ec7160c615e80dd106ae61f74e8b84ffa17fb5007a7db0b672b7266c1361be

  • SSDEEP

    12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+hq0yBt6O4LEg:zbLgddQhfdmMSirYbcMNgef0r

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3302) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\920f8846be4136bbd172db82715ed620_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\920f8846be4136bbd172db82715ed620_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3040
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2528
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    34098727098a3dec3d3d7d404cdd80f3

    SHA1

    bc8f7137bf67a20726d7f3ad23051c62f1012374

    SHA256

    c15022855bcbb1dc8b87ebe9746b912e993fde3f12aaf7812b1baa7ba1d6faeb

    SHA512

    31489b5f9b3a83c1b1c652c248015753b41046523ab4039486d52ce24ebe752a6a805a21450e959845c94d62c2dad648aeb6449e4139b9a46685cd7d4aabfce2

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    86b8dc0e4fd2c5a82fe3d83052330ad3

    SHA1

    e6019ec59f381b1785c3e2a582fb6c503bb80570

    SHA256

    e04db2b525fb78b6adc528f7cdb856e18ca1db803d3a390bae7df0fb57ad03c6

    SHA512

    a04c021f4a0e7a9ea2afaf3213c4461c69a80714d5ade8b079ff43aba30ffd0d4dd456f3d9c8ec8336102d14487ef117fa3d30774a0955aa528a2e8d2ef5ca7d

    Download Submit