Overview

overview

10

Static

static

3

8683a6c8fd...18.dll

windows11-21h2-x64

10

Resubmissions

11-08-2024 00:37

240811-ay1r5swfmn 10

10-08-2024 14:58

240810-scexnaycrb 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-08-2024 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    8683a6c8fdc3acde4f13c531ef0ec2a1

  • SHA1

    aef8e6adf601ac20d1af3fcf50c20a75fffbfd31

  • SHA256

    c642274c1109c6de3954e68f57b897a55c262702ee6f48b5e9770ac3a1757453

  • SHA512

    9d0d6f1017a3068963601f5b7adf3db5cd543274dd09d5492c93628f0b6a4c6a419b85c1e9e3cf12ef69d70351e53b4f15381aaaaba1f15e71e71f38aa509708

  • SSDEEP

    98304:a/qPo1hz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:a/qPy1Cxcxk3ZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2085) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8683a6c8fdc3acde4f13c531ef0ec2a1_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:616
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4688
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 8
            5⤵
            • Program crash
            PID:1320
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:864
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4696
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4688 -ip 4688
    1⤵
      PID:1964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      4d52399020a24c1f6b4254cc7252504b

      SHA1

      2afe0c8994c64898d5fe16ca68811438ef19b0ee

      SHA256

      e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7

      SHA512

      a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4

      Download Submit

    • C:\Windows\mssecsvr.exe
      Filesize

      3.6MB

      MD5

      25a0ad26bc7a5997378dba06e9152a48

      SHA1

      992a271a0eec0388fdd524aa049e7e4e30401720

      SHA256

      2794a705c163218f71fbf59773f5447a05b776100ce4d08318bd055c9bfe09ef

      SHA512

      9b2eeb7c72c98fa4e7089419528a3041f6df3e13d435d378cd0aafce1500d452ac28e9f6363f0d93893da8b7839c9f9ac8541e6891a8e785f5333521813336eb

      Download Submit

    • C:\Windows\tasksche.exe
      Filesize

      2.0MB

      MD5

      5f80c54de7e00489bf51d0ff66158f10

      SHA1

      ebf83fd4127d539b48b27cbc5528ac0480181c1d

      SHA256

      14a14fb7bde9794b67b3e62837f6e6cdc0cb801657dd46726cc0a4bb15727d19

      SHA512

      dcb132fa4bd04f6bb0fc3068874eb976afd96d48d598bfbafc9b2922b8f5e994cc667ec24ad95070f9962eb59596bc2b632c3442465c2b06f1c04e8476305d85

      Download Submit