Overview

overview

10

Static

static

3

abb8ae7154...18.dll

windows7-x64

10

abb8ae7154...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    abb8ae7154abbdfad58617fbd6e37e25

  • SHA1

    666e933158146b2e09b17d4d2928f88f641e441a

  • SHA256

    dc9e52ca2f0ae795394ceed7959eee45e6eb78a33757a4d274246ea33c492ea2

  • SHA512

    0b4f72fe74c8c011524c8124d152ff9682378c849b02942e00b5b0d7027f7036131a47dbbaa2f5c729b19fcc95d14401cd3a2ce5ca7f133a5a55b1ed2cb8caeb

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0BkQg6eX6SA:SnAQqMSPbcBVBkQo6SA

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2647) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2980
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2456
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    d714de5177b8317d3f15f161dcd7bff8

    SHA1

    bcceeb2ab589aeff2b890f9581c7e6aac82e5a72

    SHA256

    c87f021d535c6ab171dbc9c9c1daf084c2c1f366ba307b3efa3923fbbd1f8227

    SHA512

    27879ecb9519653b907886a2326be55c17d0dc8a205631cef075e551548c7ad5e50ab4acba4d2cbe86387ad31275d73ae377c3b3857882a41c0df70fe35b45af

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    3eb8205a8574d044000a515e2d445814

    SHA1

    dc67dbb939bb21a9a187f53da19750d50e2f34b1

    SHA256

    92f53ba1bf6dfe19b9404d5dd93c9275496933ea1bd97b83ca1c73996d13acff

    SHA512

    740889c4b9cb4b32f2111bd85db1cc5615ad6ba9821df7cf211c05e7fb3fb5c89f406418469d98575590e15d39637cef97000ba181b0798e8bbbbd737d89233e

    Download Submit