Overview

overview

10

Static

static

3

db203ae979...18.dll

windows7-x64

10

db203ae979...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db203ae97938b49c4d91cbb8a8f499f4_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    db203ae97938b49c4d91cbb8a8f499f4

  • SHA1

    cde7c674f61b2ddc7da3a405f8d7e717b7797787

  • SHA256

    162b17147eb863250d401a4c89baf8e7325456dd5406fbdca53538a8dfd6248e

  • SHA512

    2d3a1dab1ea7b9ed9e7f45086b1a1e166f32545bdc931a2b18df681cedf73f2f6662f74dd7f19250a23e76378d5fd7f859667ba421083e88b0d31478d0626435

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9c:+DqPoBhz1aRxcSUDk36SAEdhvxWa9c

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3324) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\db203ae97938b49c4d91cbb8a8f499f4_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\db203ae97938b49c4d91cbb8a8f499f4_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1540
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3620
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    d0feb8e907f1d8dd96ec26adb618f91c

    SHA1

    c0074f5ee3f44e94497cd051dbac286d114bfa13

    SHA256

    9aa8cadf116155d66a8f15b7bda017c07ecb18ebc54a0ef786efbd1fda8e335e

    SHA512

    26d1a98817db099b94335d578f9ab98ca64470148709ed8d7d18b97aad331ec35b5f6641c3d241ef73e093242d493827104b212e2cc7b5734b48b6cada20e166

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    eb4c72829a42a0d5c8539cd35dbbc0d9

    SHA1

    3636374353964c1db51b32dd9b2326d2224f5e4f

    SHA256

    426e594563b1bb1bf822a602390464a5354ba2eb2f3bbf69fca55df74779a07e

    SHA512

    2792282c4bab764d6172655289351a088422f40a0df031e5d1dc9f25cdfa4a456304a9d82a8df49bd9c5e7b13ec3e5d586848aabd6a59a633765104777aab252

    Download Submit