Overview

overview

10

Static

static

3

dc2652699b...18.dll

windows7-x64

10

dc2652699b...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc2652699bfb0a04b639db5b7ea17f99_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    dc2652699bfb0a04b639db5b7ea17f99

  • SHA1

    bf5e71c716c8a6a3632a1f0ca631faf942ce0b9e

  • SHA256

    993e5aec92db5f75b29d8f25ede03682f41f5a1e0dff2891a468dd29fd495911

  • SHA512

    f65a9b62c282b21e1d2237ced8b8fafb242e22a917222fc00250b2fa56bd7a3d0cc7a8ecf6540d8f7b0d0c5bbb46ecf892ad347f96f64e7b0e84de6f00a56a31

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SA+4sssPRh5EXaeCpL4:+DqPe1Cxcxk3ZAyRhWXaN4

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3205) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc2652699bfb0a04b639db5b7ea17f99_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc2652699bfb0a04b639db5b7ea17f99_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1700
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2744
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    91f85880056b94e83a0f368f13d4b13d

    SHA1

    37b91eadc85259d644fe1869c76ac04676f996de

    SHA256

    0a7cb7e432754cf56ccd147f6d4ab96e5f6a89711e83c9644593eab68dc00dcc

    SHA512

    0385d3b796a344bfcfeb91fd4ef8818574d50da163b5a5f5432ec16982afe8da2258f59f3222fe267d7439fd9fe5121889a055f60d312585da3931c04bc9300d

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    13edf5ab66f6af92531ef08c010459bf

    SHA1

    e69b2b4a375f82f8d99eb2c972eb60743e239212

    SHA256

    1a1649b6b6c0e6846ec7337e1e2a522a374f8a1f2a119e6819f968379e9a372b

    SHA512

    33a32b5eb984925d13cef484d8abe6b39882029f0890e8f78f410659f71fe43cbc81992d9ec178efc5e61a71a6eb9667dbb9ccdbfa75dedc2acd8381fa254f67

    Download Submit