Overview

overview

10

Static

static

3

9b5414fe2b...18.dll

windows7-x64

10

9b5414fe2b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b5414fe2be2c2a4db4a27214c5ce934_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    9b5414fe2be2c2a4db4a27214c5ce934

  • SHA1

    fb3ef9a47e234c83796099bef5d2fa0d86b0ec38

  • SHA256

    391fe9571f240be81bcc5df90d867871bb248d24cd0c4633c240e61c8ad8dd1f

  • SHA512

    f0f4514f66b3c48443aef62b7221bca406e5b3c2078f04a2f2002d2f1a2ea51d543b7a078dd407ff1a3db0c0a6bb52caa5c7049ff2f694537ab52010f71700d0

  • SSDEEP

    98304:+DqPoBhz1aRxcSUNk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cxcnk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3286) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b5414fe2be2c2a4db4a27214c5ce934_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b5414fe2be2c2a4db4a27214c5ce934_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2560
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2604
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    e96dd428adce6fca4f43709adf2da4ed

    SHA1

    02836566321980602ace73eadf641b9ad20f760c

    SHA256

    635880bbafbb117393ee80732defcc83b7183a7b37bd194e8dd008cacb51d86d

    SHA512

    b591b1c460835fd9c2f557483da84ca022e698ce73fb256f80b168d987a396d28036bc0717a160f03d764972e6a9d3e9130d07395706001261778275e75b0e19

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    f2afae168a37518afb269e08fb261117

    SHA1

    7146e665185a3c340e0ca2bcddeaa0f76783fdab

    SHA256

    e0311d7b25a0c2fe5b7977d6170f9a21f9b473f32e508c9541d1367661b52cec

    SHA512

    dee0c03f42005a0c2972b271359fcc770e59832b08d9686881e7f93d00af1d01b419245c5d466579fe3bd33323f879425a025dc0492f23efe5a577ed0e2d2780

    Download Submit