Overview

overview

10

Static

static

3

be5fc60292...18.dll

windows7-x64

10

be5fc60292...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be5fc60292e3034da9dc33bfb3accaa2_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    be5fc60292e3034da9dc33bfb3accaa2

  • SHA1

    c4963e9abe5380ac750198f5c866875721a1a59c

  • SHA256

    c4463bf99e141e8b7ef222d1b9144c0ee509eba02804df596f4a1a13efc289d4

  • SHA512

    e72e3526e7a31e693ac428c12b13f7ab7fbfd1a83896f4cd538877727458bed10065f21a1a1cf37434bc60fc9b6ff18bc2c34356cf97d7054d8a074cb7bbf1bb

  • SSDEEP

    49152:SnAQqMSPbcBVQej/ORdivBJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBhzCdKBWa9P593R8yAVp2H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3197) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\be5fc60292e3034da9dc33bfb3accaa2_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\be5fc60292e3034da9dc33bfb3accaa2_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2400
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2808
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    599ca6f0fc7b1f573e334b5d859bd60b

    SHA1

    8102c25596ab4dad51a4d00341d83709e294a7c7

    SHA256

    c0e6b5340b5de6cb270c26a4cbdb85c4f10bd348bad277f66c3e3a1150e0b8be

    SHA512

    c750bd179d769eb6561f07f0a2a4b6252b8c5e3df62cd871a1dde960ce4f4dfaa00403378ba63c36d89112ad8212fba2957cfd605517d64cac84e75c962d97e3

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    b17dcf4a59c4d513d9eda37d308b83e7

    SHA1

    09c9bfeeb7a6967a4043ef5129fe81c81274829c

    SHA256

    5bf30361b8690f8faea216763e741b8d5f56b0e634a85a2ed090697ad4c4568d

    SHA512

    aefa6a8fc00054d749420d3e61b07eb21b6b4e1d4bb9fd1610eb340814137e6a331c334afbeb12b2c9dff1d31c4f4a427aeefccc7cc7930083fccadc05b66434

    Download Submit