Overview

overview

10

Static

static

3

4d9810bcdc...18.dll

windows7-x64

10

4d9810bcdc...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 08:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d9810bcdc87117c5d16b22370d3be89_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    4d9810bcdc87117c5d16b22370d3be89

  • SHA1

    91e1b3b035521ea6a3a989c4e0930926704de672

  • SHA256

    b4418dc00381089e32d75414a3f31d823d3cb08f7066b4f7ec1aac34e77f1fb2

  • SHA512

    7bd922b367d66db8029ac4068f1393ff70cf365d3fa0acd3ba7500492650cd84d248ec776b8070ba9a2f713a71e44c020582d2b05780fd776d9078234849ed09

  • SSDEEP

    98304:d8qPoBhz1aRxcSU9k36SAEdhvxWa9P593R8yAVp2H:d8qPe1Cxcfk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3266) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d9810bcdc87117c5d16b22370d3be89_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d9810bcdc87117c5d16b22370d3be89_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1204
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2216
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    2b49976869562fc44b9405d132b2cb26

    SHA1

    fa0d549c7013ccbedbb745715c87c465ec56bb2d

    SHA256

    f30ac050843a04a6815a60527f4b3055461be7204cd8da2b70ee574a455a3f0c

    SHA512

    8350d54dc31a17858a099176448a85730e36cede298064efaae526e2655db6a4fb97828654a00f1601178e66a197c61be8cfc0eec5ea756a257a6684367a3e05

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    6e96c944eb1bef4c71efe26b32b07557

    SHA1

    15205cb6303a3cf85610d88034aecd0eaeda0302

    SHA256

    7bada019acdd0e6ece41ee34f66d7d20121a59f526015790d582829715055b1a

    SHA512

    1430ac66e62850014b390df1a89b256cc08f33e6fedd22781bd7ff31263c838bf5b8744d149d06e457b38d1270a94bda966b10fccfd5de4ec5bc1c3d22332bfd

    Download Submit