Overview

overview

10

Static

static

3

ad143d855e...18.dll

windows7-x64

10

ad143d855e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    ad143d855ed6fe12573a7b09efd6ee5b

  • SHA1

    52f74369c47090ff862a28af995ed32feb942c05

  • SHA256

    6c16edaca2f239d81cdf8209fdd224471960bf458dbba23c44f19fe86d716e7c

  • SHA512

    beb64b9d37d043a21cab369f62ee52f0531e9eb71b742d7e9438d704485533f685ac3109376cff76b1559a3ba4814a9ce708be079fa37787056b0c9181e34204

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDk36SASdhvxWa9P593R8sJ:TDqPe1Cxcxk3ZASUadzR8s

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2670) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2956
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2572
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    478a30349e40d90f90f54e5e440e7265

    SHA1

    37cb981546d53825323cd39f952f06fb7d110a27

    SHA256

    834390249a1c816b43be8f7049c3b9e288f918f375b484a936c834de5f9078a5

    SHA512

    25580efcf94bbcf7e0ced87c9a362620013d0f322d433810c1d52cc12bdfc538eaffb84d97ee00ccf8dc6580e7bdc6d63ca68398797a29427849c206bf32945a

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    0cb6eddf35473a5904a2b56bd391efec

    SHA1

    8111594e887e972bed1d9c3ab08fd324dcc4deaa

    SHA256

    f9d55d230e908a6005593b0941840fffb83475ef69014ba20e81dea56309fd42

    SHA512

    86627a974f9bade1222792ec978ae51c0de5571db66627e06a4d9fde5e100d4e3d267aaa9c1544a18793c8d55147bb603a31872df478dd238a547f32eb808e6a

    Download Submit