Overview

overview

10

Static

static

3

b22b6d701e...18.dll

windows7-x64

10

b22b6d701e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    b22b6d701e2a273e7de63b84050f082c

  • SHA1

    38048d68ea12dac1e44d37eb8ff60b73949fac25

  • SHA256

    4410461ac4c1e7c17d78d3b60e2eacbcbfeddd208c9b752613797f8a8058bdc5

  • SHA512

    f6b0e5018899f161de4c80b07c655476321dea65c4a5e4288904b678f43ba0f9bade258cf3cfc74b1c45a65a16717b89f7985a36bf73b4054b35f3138c568261

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhx93R8yAVp2:+DqPe1Cxcxk3ZAEnR8yc4

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3188) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1308
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2692
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    a541211789fa1a8a6cbbf33653546290

    SHA1

    b6d6ec8b961310e0b39954f82d48271923688e2f

    SHA256

    5da9e905fcc76986f6b6b7cd124452194b72e482e94fba3af3b3ff0139bf3ead

    SHA512

    81236e532828dc892849757553571b5c61b599f52ab9eb7e55ca82a5dfab5d325ead0fe9920341366ca08e74e1c146e14dd63e8aa3ceeb7754f10ecb969649c7

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    6c26dcffe18e718d9b44580712a31cfa

    SHA1

    d6e9c62396f4f6c6e0016c6fd2355db4ea73d0c7

    SHA256

    74453273a88cc6d31e8a133ad1cea962bf7a65181209fce2443ccb97e13ee4cf

    SHA512

    1b94b8bb8fc469592deca1bf3dd80ee61bd55a024194e73ad83a60043673abbda240ee394836455e14a1d54e5486a8306ef6ed919dd582f09afc903e4d05a3c6

    Download Submit