Overview

overview

10

Static

static

3

abe6e87983...18.dll

windows7-x64

10

abe6e87983...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abe6e87983c57683bbbb49fb6dc2251b_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    abe6e87983c57683bbbb49fb6dc2251b

  • SHA1

    bc01665343d892b92f4320652e89d5252afbb8b3

  • SHA256

    c63bf97c4a4bc3e4f209f9001c80f349149f2573b1bd8a3ca4d1e5cbc03fd806

  • SHA512

    33cf102d67e4ef204b5662a5503e00814e8f4d9060cc40b8b88d4fec154bb422f696ed5c035be27601cc7c53885caeb3e05abe64f1a163beab83a28c4ab1eff6

  • SSDEEP

    49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdh:TDqPoBhz1aRxcSUDk36SAEdh

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3263) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe6e87983c57683bbbb49fb6dc2251b_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\abe6e87983c57683bbbb49fb6dc2251b_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2148
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2440
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    68c6204cf77e572e59f69614b2ca3d08

    SHA1

    33631d615d796844cdb9fd37c78d82cb83af1a5f

    SHA256

    93cda4a7e1fcc7e2f79437354e36f5e58ccac5f01ce54054e88ba7a54115a3cc

    SHA512

    76387771afdaeed08bca9528ffec6780881d3d748e58f9019897bc7f5c72701ffdaaaeabd1a8bc52bc3a791cfd7326fee88207e837ce348e5254915e9376f378

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    bccad6972840ccd4069b2f9ce01eb89d

    SHA1

    55c3531a3d17492bfd4cf5f297a34c3c939252ab

    SHA256

    5aaf6cc5874058d52270446a17529877390b1efafa4b1e7035b35ec4986bdc52

    SHA512

    75432c3df367c08228267b97b6bdff646ad16c1ea9f28af6986b51296da0f256276445f02b057b35d8038ba6fdfaa4bdc8001f40e9723996e43b7a229d1e332e

    Download Submit