Overview

overview

10

Static

static

3

b3f780c1e1...18.dll

windows7-x64

10

b3f780c1e1...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3f780c1e13af722eb9665a5fbd1f125_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    b3f780c1e13af722eb9665a5fbd1f125

  • SHA1

    505f2038b943dea44a0bfa28782be0326bfebf96

  • SHA256

    f70f7f91fa783ff28d888e7a3cd71c748e5c09d65b28130ad703fde661488e24

  • SHA512

    7d8213e94a3bde5bb1e54ae0ec9f920ad7e033e454f8387d3811d56127beb93115004955020d5f4e59d370ce0f70dab02be8bd6b49246289d1cdfb53b2099cc1

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5HRuDC2+:+DqPe1Cxcxk3ZAEUadzuDz

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2697) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b3f780c1e13af722eb9665a5fbd1f125_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b3f780c1e13af722eb9665a5fbd1f125_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1148
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4060
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    4ca26d29ab922c94701b85b3405c37a3

    SHA1

    633fdbd6c4899507887bb42d85030b08c54c64ac

    SHA256

    2c380793a5a6cfc7c736f763fe96cefa8cf3a78469d4e988223e4feb06163b0f

    SHA512

    70de3f6436a6219c7c5c2163a01bbe063fb39cf403821f519dfc08ebce0211ed8bd66ef92ff1fc7d9ee6572b8c19f6f5085c632fdc0b17255627edd52a022339

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    1400ab1e9d81a6f92176173cedde195e

    SHA1

    e36d961ffd29ad98f77999e6b47351e24ddaba1f

    SHA256

    b6c17e9f66a05adaf62ec1fff4d49b6e51f77285427470517e9c846c5202bf18

    SHA512

    07e85f6f3e52fa90a9b1e6f78a7c25c09f295412bd8ff29af6a24986e62086b554d8e32c897c2be3abe93527ae55c37373d376a4b9d5f63fa5c16b00c6ba5184

    Download Submit