Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

38a3377280...18.dll

windows7-x64

10

38a3377280...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38a3377280ad3182ab1541c841add640_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    38a3377280ad3182ab1541c841add640

  • SHA1

    86b486bbcbeca9d821af505d2c0fde1c3a73ab2e

  • SHA256

    3b6f289036c7e924b20c5eb12daa5b902dcc660fc89a99b9fd0024088c9bec45

  • SHA512

    8c1740d12db3352ef27570010a42c51fdaa59695ca720b09786b1d1d0e9025da1dc248285c0f6656e31acc8f4f267b228b36698f528db73ce9b09fbd6672b97c

  • SSDEEP

    12288:T1bLgmluCti62WfSm0iEcQhfYNVUy7ckPU82900Ve7zw+K+DHeQYSUjEXFGeX:RbLguriIfEcQdIVUacMNgef0QeQjG

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3148) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\38a3377280ad3182ab1541c841add640_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\38a3377280ad3182ab1541c841add640_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2120
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\tasksche.exe
    Filesize

    2.0MB

    MD5

    0c761ff198ad086294f0a317de3812e2

    SHA1

    fe057de7755461c0595c00a54e5e37b2da29d50a

    SHA256

    befb04b65682bab3d99663901730dde05c298604b9db15bb65fec062865465d6

    SHA512

    d1ed2fe76a390dcaec2d57e0d14ba3413b547cef0a2f6f18ea2ba96be49fc6192d982aa836d5e634027b86b7ff49675bf777d73a752d1795b479fd4ef225ebf3

    Download Submit

  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    a88fd13c373d10711fd23d4893d199f7

    SHA1

    a1b0d0de6b658171b45c4db034bc846e8ef06e02

    SHA256

    c00851c0e0fcadbf5430ff8ad8e68bf453fa5a70d21f6b0d65437f27d7be514b

    SHA512

    13befe2211f6a92f46a00ef6789f9dabc4dcac838a2dff3434698334b6efcc8604c429f16c780072f6985c75776e17b7deb6411fc6bd18606377037e8a33d873

    Download Submit