Overview

overview

10

Static

static

3

b15c022f3f...18.dll

windows7-x64

10

b15c022f3f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b15c022f3f18663b835299793cedc631_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    b15c022f3f18663b835299793cedc631

  • SHA1

    24d77f6019b1fe5396147ef6a577103a7d1727ef

  • SHA256

    21042a7b67316cad948aed3b784fae60aa215f0b8e11d2fcce566b1080b8cbdd

  • SHA512

    73170bc873820471ca21d5b16e0cd5dfabd8bb574ba829fff34353b210eea89543abf2ef8853815df64963aa3eff2159df3f3c27cd2abd8179a61b4ffb91a510

  • SSDEEP

    98304:+DqPoBhz1aRxcSU8xWa9P593R8yAVp2H:+DqPe1CxcxadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2663) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b15c022f3f18663b835299793cedc631_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b15c022f3f18663b835299793cedc631_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1288
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2588
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    11ee9c8a2d541a9409ac52aa4ed0092e

    SHA1

    6f99f7c62c3f8941d5aef6f6c12efb8ce97a63f4

    SHA256

    0c8cbd7893cda0843f3ca95c92f96a0775ff81c2fc6aea0783634c247f2c035c

    SHA512

    81713df4b904df18ff33dc72b2858385f9067b962b73f784558f3eaf8e2755142c2c54749422693c8074ee349b023a8b33c566b6e90b598671e8b93a7a3312d7

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    7688e306fdad9117a138e0e7f1cb78ca

    SHA1

    ea396123b58d6fbb10c57eb6a8a837d55b42b5f0

    SHA256

    74edfb491a79580bda5953d2149930eb9b5941f3c71a76db919d7d98a841143e

    SHA512

    0555afb491769733090936da2461da479e203dce865fd6ab4a4df3679a224597ca3ba72cb7182dfcb398391cfa7ce8d72bdaf1699ec97dc2b1581f81bf87c788

    Download Submit