Overview

overview

10

Static

static

3

95b2c12e9a...18.dll

windows7-x64

10

95b2c12e9a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    95b2c12e9afeaed5fbe056e49fc1eaaa

  • SHA1

    223e0d98f84870b2a7d925b62eba5dcc64da6c82

  • SHA256

    285a80c30114cd0759ce092586eb9d3ac5ebdeb01e2bdc062a74b7c0a9a6c45a

  • SHA512

    6404dca3869606d3f39a0997040320755094f4a6bc11c5d470cf444e3f3089037a8f89985788a68d39a52fa4aa7c6058b82618fc253604c1b585ffebfc8d00f5

  • SSDEEP

    98304:+DqPoBhzBRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPefxcxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3088) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2460
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2772
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    a2a3e10eb73eff854be52d6647698f70

    SHA1

    f1162eb2213ef084bbc0e75a68e4654f2a0efed5

    SHA256

    82d4d7a9a740f3c56c3c71d6d65af9ffe80a7f0839bba5af4d27135a8d3b6609

    SHA512

    63bfaea06170adc82919cc1be74254035b9dc317b3b8890a63a3622b533cbc8835bb3e0147748397da07cec657157f22b0a84ee676b80bad0d18232fbfe157bd

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    a21d2a470b89d4c1916edd49e615e941

    SHA1

    b31f148803f88330c870659a7b9a173aa422baae

    SHA256

    438603dde75732b4f81fc31bac2de414a8060601c34c517c5b99f3f180c989cc

    SHA512

    2a928d33eb8e6d4849234a3c6ba0b7a2f12cdedef39fdc26c98ac532772eaf4f2448571afd345d0780cc5a666b7e77cbb5872defe8b89a00c2fc9650158e719d

    Download Submit