Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

de21664ecc...18.dll

windows7-x64

10

de21664ecc...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de21664ecc0057751b0d3748657e1ff1_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    de21664ecc0057751b0d3748657e1ff1

  • SHA1

    b39324c47c1f4dfc73d05097a17b54072358768f

  • SHA256

    407ba91edf436760116c38d1737262ee02943a3f7f6a556e394fb62a17585783

  • SHA512

    e28cc64aae84422d45bcfd6916c78de6cb99ce468cb6c12b7d25cef0aab02dd247f88b478b72e40562c0a434281a4c049fffde161d7bf2de323d2f2ca6175edb

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3252) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\de21664ecc0057751b0d3748657e1ff1_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\de21664ecc0057751b0d3748657e1ff1_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:860
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2700
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    5bca9fec1ccee765ab92f52a7ca1f660

    SHA1

    a69e9eafd1e9baad233cc977ed15aece2835a649

    SHA256

    feb05cf63c1bd56e038b81e3f0c44f4c2c8251741eeb205a4954e7ba957f9a88

    SHA512

    35e9c350e6cf29357265c1e6ae8e0cb64c1aa1409a8c8aca7256cc6b63f4e062b630c69acfa36633deb4f2974c701e8a8956a9669455cb39d84623fa7106f155

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    e69e8ed45ca0b538abb9dcf2ab696489

    SHA1

    b2ae88cfac2dff393ee6d312ad965ed79239cd84

    SHA256

    705df6507e0d9b8cb1d3928b04823660c935cf6b855dbe5622e18b8295dec180

    SHA512

    8e416bab77451f667eef5b3eb78ec687f18efebef02138db8428d1958216d2c4c08505cf7fbac22c95939c71a3a202466f205101b3da0e2d719164a23f6ac442

    Download Submit