Overview

overview

10

Static

static

3

d50c9346c2...18.dll

windows7-x64

10

d50c9346c2...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2024 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d50c9346c265f81358e2dbdce763617a_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    d50c9346c265f81358e2dbdce763617a

  • SHA1

    25b5e61f896b37cf5d9ca56df78ee760e9c57a49

  • SHA256

    50528112e0f28a1adc1fe9dd6807db610ff140e3bb2704a7df000f423cb620d6

  • SHA512

    3a24c4d2c7fefce62f0eecdd376288b8799d3c585d3f372ac337aa4fa13dae0e426159dbe998b0caca8a94b0c4cbe2c428f3b59c43ab1d25cdab08528d1fd1de

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0UX6SASk+Kdq/:SnAQqMSPbcBV46SAA

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3229) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d50c9346c265f81358e2dbdce763617a_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d50c9346c265f81358e2dbdce763617a_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2340
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2944
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    281785957971227851a775b7fabf32d3

    SHA1

    5b73621e6f4cd2848ca17d57c43e610b59496374

    SHA256

    e4f112ef0ddd8d82c110f4dd904ea17ede6f21b507c966683fa32de362353a53

    SHA512

    f1d096ad38b4468d350649b5ba22eb1f642b1787ce2ed4bac9fe943eadf2b06a93e98eb94e17b533410be83c93d61559926edfdd6f6cf4b902cd5ec54e8225a0

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    1d6fc7853b5b529ec7bd592edbb0b8d2

    SHA1

    53c4bb1be9cff30a1c8face761d885e2b8b2319d

    SHA256

    e1da4d2d9668d6811d584c148934241215d8704b901ce19d4cbcd83c22d5ba29

    SHA512

    69deb3ee3fe2e2075e5ec0282ce770da180bab6ccb5992cdc898bdead88bb229b9e8dad8c3d0c42cbbd2e2ab9150a0a0f8ef3dad4efae086aa0d5a147f6f9835

    Download Submit