Overview

overview

10

Static

static

3

bea2c7b2a0...18.dll

windows7-x64

10

bea2c7b2a0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bea2c7b2a054321b99b855abaa7ede8f_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    bea2c7b2a054321b99b855abaa7ede8f

  • SHA1

    55bb7148586969fdd2be6b94ab3846937d88623e

  • SHA256

    a735ae0e3018c7098d998c17ad5f01d0ddb72edfa754a9e9ddd1a70c2f095c97

  • SHA512

    2f0d3c70edef83e4bf0597e107000be68c554be2010e436bd4c0916cd375060b01508434e30844261098b28c517a97636adb71a70d2eaffb052f9011c2dce5c8

  • SSDEEP

    24576:RbLguriIfEcQdIvrYbcMNgef0QeQjG/D8kIqRYoAda6626WgkQg6eX6SASk+Rdhv:RnpEjbcBVQej/1Il6kQo6SAARdhnv

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2087) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bea2c7b2a054321b99b855abaa7ede8f_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\bea2c7b2a054321b99b855abaa7ede8f_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2196
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    d5807bba032a43cefb7395db67815b92

    SHA1

    16fd39c70c5bc03ffb413791fe557442efd5d20f

    SHA256

    50b2154a7a32c24a4e1527c8f5ad13b59714669f76fbb8c4b06ef639ca10386a

    SHA512

    9c7b90604392dac65562a91b8c3b852bbdce8bf1f6a08e06d873e76460fad2ace665f32d58b2598a13356bda53a1f2b65845107e0e24c28807075d074d743a2c

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    2.0MB

    MD5

    360eacd6ecc8bcf9d8be365359a4015a

    SHA1

    543e07d13c23ffc47473cc44662b4f68f7c89422

    SHA256

    333a8fce65282a63680b96b5421265c8e04497b1944612cb8d2e7418aca71aac

    SHA512

    6c25aae097f1d0e42b7cf665f95985f4d519b35341fbebd1d57d8d13c027078351677e1a74b3f764363a2efffa33d72e5d5197892b9e5f0a40a346d2ba0ea977

    Download Submit