Overview

overview

10

Static

static

3

9d9585c4a7...18.dll

windows7-x64

10

9d9585c4a7...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d9585c4a7fcdaa359f5c9524ed79e10_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    9d9585c4a7fcdaa359f5c9524ed79e10

  • SHA1

    c924f26d718df11d193555a7a148f61ef49b4acf

  • SHA256

    ad4883a754743db81809cc13dd42a5e0e4e3732ef0f9f250aa8f8db84ad3adec

  • SHA512

    59ad376962bc5d640b71e4f0cde71ac0dbc018306ffd752262c50d69de3da9e6ae225e55186aa1078836eebedc3fc171a991223d2ab65caf873e8f2a324b87ca

  • SSDEEP

    49152:SnAQqMSPbcBVHS6SAAjEau3R8yAH1plAH:+DqPoBxS6SA53R8yAVp2H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3256) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d9585c4a7fcdaa359f5c9524ed79e10_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d9585c4a7fcdaa359f5c9524ed79e10_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:832
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2568
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    2cfc8a3adc98b3395b7abc64d0cb3d41

    SHA1

    3d3721efdc7c8df3639c8b2af0a8204dd854dee0

    SHA256

    3052e5388792de337a2102b79fe31254007e005a63e7bf1179a5296bca9d5c44

    SHA512

    df9c6d68ba515ecbfb63a827080de716f99335f75791b0ae3150633865c466501f34c6fbd1819cc7fb9aabc6869eb35e5ccc5cd365e4e2d1fa41c9b092845724

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    3894c0959aef497a8ee3b46fa80ee66e

    SHA1

    c2ce2523300b1516da89012ef079b8e8cb922f39

    SHA256

    ba10e3e9f7a449bd6cf4089b9724007fc5d83c7a6516a7bf879e9a4a25564f93

    SHA512

    7816f5d54febcbfec4de4e4ecab8ef01288a6ccf3fe1d0a118118e7d30b12cbbd1dd80b5703531ebbd3716767866301050439e937a5321782d131fd243d342a5

    Download Submit