Overview

overview

10

Static

static

3

b1d879e25f...18.dll

windows7-x64

10

b1d879e25f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1d879e25fa026cd0b3862adcd964992_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    b1d879e25fa026cd0b3862adcd964992

  • SHA1

    a80c5fc70b88793bb3c4bb94d8645db478e26d23

  • SHA256

    c0cced0362a874cb846f09d78c176da8312b2f86f1187c321a08b6736b68f156

  • SHA512

    81858081624f42caa35f36ce2308cc509840fbde82fec8e43fd8525e025660094989e99fb73e2f6ed74ee198f1cc967400eed4e95c64682ba85566a3ce0ddeeb

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0KMEcaEau3:+DqPoBhz1aRxcSUDk36SAEdhvxW+93

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2670) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1d879e25fa026cd0b3862adcd964992_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b1d879e25fa026cd0b3862adcd964992_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1964
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2676
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    39d7b40d6386026039778cff5a623a8e

    SHA1

    57bbeb96100ece190d20735b10f94f28c859458f

    SHA256

    6706c12bc92fe64f0146028e238e79dc97bdfcb3c6c7031e87dd944e117b5e7b

    SHA512

    5e6fed967149e772cebe0397876386a8a5fd3feb699c999a5445b2b837db992d7c61ecd64e9e9103120e188169aff96bc72f60ee23ac6223a4f099f4efc33f89

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    9b7c450aa958b5ff1cbb7a27574eb458

    SHA1

    34bc44a0102bf19c5073d55b439374df1c8ce154

    SHA256

    b3dedf8e93459003ce839f6132cda2decfd7a9d746c33e4f3c3f8186a3d303ee

    SHA512

    e4a5927ff803c70908def54067c28fa7ac42318a800f3b8839b30d7118e971b439a77783087e64d51a575b849bb417134cb1b4d35de90b34e86ad767985ed1b1

    Download Submit