Overview

overview

10

Static

static

3

430599e856...18.dll

windows7-x64

10

430599e856...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    430599e85618bd750b5bbfb21cb5f857

  • SHA1

    c9ff0c824d324d6047a31eb07da54ba43a0a8b86

  • SHA256

    ec2a990e5ceea72eec6128d38e8debedffbe6cac244f7ee5e5e3d58e2ad0b202

  • SHA512

    579734a994750f09d3cd6feb1d6e5f2793bce1eca37f65cb4fef50c0c908b18248e143a85cbf3d62bf5d0af1e5a4b48faa94dc3e92846e615215276b9322c1f7

  • SSDEEP

    49152:RnpE/bcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1p4oBhz1aRxcSUDk36SAEdhv

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2148) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\430599e85618bd750b5bbfb21cb5f857_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2068
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    03e8741684a2ea2aa24bad8da574435e

    SHA1

    9cc3be4e47aa9f1df05c1fdb8d528cfd09b8b88c

    SHA256

    4128abf9efa8bca93aede9b4a44aab78fab27d634f4c9581c64fa54d3bb8993e

    SHA512

    ff6d7dcc2242f316e31b073a9f662ad6d7bc7c31c6eedfde75e1b16109a1f8c3c70e1de92ee67db62e0561572d53c118240a3a5ec2004c12ed1d54cc3aa693d5

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    2.0MB

    MD5

    1ff321de9e6b8a865048789e18bb4232

    SHA1

    67a548cf33d086c224058ab30c631c04f5dad29d

    SHA256

    ead0300a439be8ea26abc28944d1d3eb3b111ba1b3cad76b3b0f00b26dadd97a

    SHA512

    ab57e6bdce2dd71c49affb8c093384e27d2cec6b4165a0089617098ac30ab00715e0251cc5f96f5710a74215c9eb8804113c177df7deef046d895ac733bba0bc

    Download Submit