Overview

overview

10

Static

static

3

a119f909f7...18.dll

windows7-x64

10

a119f909f7...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a119f909f723d75e958d1a8b4b7c7772_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    a119f909f723d75e958d1a8b4b7c7772

  • SHA1

    b9fa1802da17688666df58a5ac6b38e49603c19c

  • SHA256

    412d4635deca5e3f92f67f9e870d37c6ba3425f4dc5234b08d2abf84d2267f25

  • SHA512

    71fdb25be9ad09ce09ebdce9f1ba9920083f69aaf7f6001d1384d2f8ff4bd6126fefcccf9aa2c5200b4d43c6e14dc1828e2be00d49a1e09bdb6fde5b8785276a

  • SSDEEP

    49152:lnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM:pDqPoBhz1aRxcSUDk36SAEdhvxW

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3231) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:384
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:480
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch
            3⤵
              PID:596
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                4⤵
                  PID:340
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                3⤵
                  PID:676
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  3⤵
                    PID:764
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                    3⤵
                      PID:812
                      • C:\Windows\system32\Dwm.exe
                        "C:\Windows\system32\Dwm.exe"
                        4⤵
                          PID:1120
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        3⤵
                          PID:860
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          3⤵
                            PID:964
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k NetworkService
                            3⤵
                              PID:284
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              3⤵
                                PID:352
                              • C:\Windows\system32\taskhost.exe
                                "taskhost.exe"
                                3⤵
                                  PID:1068
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                  3⤵
                                    PID:1140
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                    3⤵
                                      PID:3036
                                    • C:\Windows\system32\sppsvc.exe
                                      C:\Windows\system32\sppsvc.exe
                                      3⤵
                                        PID:2096
                                      • C:\WINDOWS\mssecsvc.exe
                                        C:\WINDOWS\mssecsvc.exe -m security
                                        3⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious behavior: MapViewOfSection
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2592
                                    • C:\Windows\system32\lsass.exe
                                      C:\Windows\system32\lsass.exe
                                      2⤵
                                        PID:496
                                      • C:\Windows\system32\lsm.exe
                                        C:\Windows\system32\lsm.exe
                                        2⤵
                                          PID:504
                                      • C:\Windows\system32\csrss.exe
                                        %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                        1⤵
                                          PID:396
                                        • C:\Windows\system32\winlogon.exe
                                          winlogon.exe
                                          1⤵
                                            PID:436
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1180
                                              • C:\Windows\system32\rundll32.exe
                                                rundll32.exe C:\Users\Admin\AppData\Local\Temp\a119f909f723d75e958d1a8b4b7c7772_JaffaCakes118.dll,#1
                                                2⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:2868
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a119f909f723d75e958d1a8b4b7c7772_JaffaCakes118.dll,#1
                                                  3⤵
                                                  • Drops file in Windows directory
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2984
                                                  • C:\WINDOWS\mssecsvc.exe
                                                    C:\WINDOWS\mssecsvc.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Windows directory
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious behavior: MapViewOfSection
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2284

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Windows\mssecsvc.exe
                                              Filesize

                                              3.6MB

                                              MD5

                                              43f0ce1ccbaa0e7afeea08ab49b2e930

                                              SHA1

                                              21e0b779cc7f6f2836d7347e7ec48d63be15ecba

                                              SHA256

                                              bc9518b04513010de1c13e8956b737cb0aa3e4ce5c6d6da637c18ea0257336d7

                                              SHA512

                                              27bde3b24d4898ad7910db8120fdfb4018dfef5587f876f876a5c91e844f25458680741d2a5f8b749bbe95ef0a59b3141fc91c0ad499b0d33e673c1ff257267d

                                              Download Submit

                                            • memory/2284-7-0x0000000077690000-0x0000000077691000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2284-9-0x000000007768F000-0x0000000077690000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2284-8-0x0000000000400000-0x0000000000A73000-memory.dmp

                                              Filesize

                                              6.4MB

                                              Download

                                            • memory/2284-17-0x0000000000400000-0x0000000000A73000-memory.dmp

                                              Filesize

                                              6.4MB

                                              Download

                                            • memory/2284-16-0x000000007EF70000-0x000000007EF7C000-memory.dmp

                                              Filesize

                                              48KB

                                              Download

                                            • memory/2284-15-0x000000007768F000-0x0000000077690000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2284-14-0x0000000077690000-0x0000000077691000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2592-11-0x0000000000400000-0x0000000000A73000-memory.dmp

                                              Filesize

                                              6.4MB

                                              Download

                                            • memory/2984-6-0x0000000002130000-0x00000000027A3000-memory.dmp

                                              Filesize

                                              6.4MB

                                              Download