Overview

overview

10

Static

static

3

ed7cd9ddd0...18.dll

windows7-x64

10

ed7cd9ddd0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed7cd9ddd0c1e1cf38f59e9e664d080f_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    ed7cd9ddd0c1e1cf38f59e9e664d080f

  • SHA1

    6b09a1cb5f9f43bd961176c90ace84a3030aff04

  • SHA256

    d0535ad814de0ff7c164c849978445568d67ecc93e9d56b92a972d2103925050

  • SHA512

    5e86173fe6354ba764b2e2281074d3afd679fdc451de22a10b47a130945cfb22df3dece5c195016eb4f62240b093ba104b118bf40f52535fd5e84ec21ca67099

  • SSDEEP

    49152:SnjQxMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARxEau3R8yAH1p:+8xPoBhz1aRxcSUDk36SAE43R8yAVp

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3280) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7cd9ddd0c1e1cf38f59e9e664d080f_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed7cd9ddd0c1e1cf38f59e9e664d080f_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1552
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    5dbf1c7a182f3a1467d7a64bbfe3f72d

    SHA1

    ce587e332b205c39936c60671c32490270a7a829

    SHA256

    786ac51de4a52f74c69e239b2a65caf8036da31e6e785cf4c11519de1d978894

    SHA512

    e3ac0a9d0a667d5571358e2014c6a9b3db5c0c276d5cf8e7fcb849b146416b019487541147c0d33b9c4a6b495163e06347fbf920e0c0ee2c094235e873b145fa

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    c18443dcca8165ec96d671495ae9675e

    SHA1

    dfbf4ee502933dc96aef9d29dc3c2e35f053921f

    SHA256

    9e89a638ce8d9c47eed2df8aa7540a7a20e176302be41735a3985306758f0653

    SHA512

    240a8bbc3da3d4324a8d9cebe58bd2a76809470bb49e8297a704bef406d3f441c59df2b39eacb6a4a1401679ae1460dbe6c8313758524753ad4d51c41e587833

    Download Submit