Overview

overview

10

Static

static

3

eee6f883f7...18.dll

windows7-x64

10

eee6f883f7...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 02:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eee6f883f7da3efafba40d560ae5f1c9_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    eee6f883f7da3efafba40d560ae5f1c9

  • SHA1

    3edb61b26bdb771c0210d2ae62e77e7be214eb00

  • SHA256

    fea1973ad1ef8844c4efdddd08c4b6ce9744b74deb3c8084d4c10453d42c87b1

  • SHA512

    1414e726a3b4626a08c8ecbeb41afdbd2fd3dd68c83415269626287cd7760280cde0b2717dfa3eb43d9be3999fd42d230ac47217d3f0b15face0a7531881efe4

  • SSDEEP

    49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAMh9FWy8U4WpEk6aize3wK:d8qPoBhz1aRxcSUDk36SAAanaiK3L

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3351) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\eee6f883f7da3efafba40d560ae5f1c9_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\eee6f883f7da3efafba40d560ae5f1c9_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4500
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2268
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3666bcbd17b5260f540b7dbd93c5e0fe

    SHA1

    1c8e39d158633695f4d65b8447573748a2617283

    SHA256

    a47a7632ad1ed4c8499cd3aa6c41fe151d410fae1ea06855231c7d3b4089baf7

    SHA512

    407463a8ca610f4ee3ddc811f0cd221bddb8a054f68b4f3b7f36a3ad441b990c2edb7b79c9899c914216e464cdc73a33122dc95fd2e4c094dfd70247054d84ba

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    a0e9fc052295bcbfe3cb412e5a4a9338

    SHA1

    93460ee6176f11e3691573fc52b291cf7261e3fa

    SHA256

    548dd44dc103d64a5b25f44b9335457b55c750dab7d3e1eb6dfd6ad291433380

    SHA512

    5bc8e95733b7ee00e8e28cd98d6144212bb47741c6d1647677b1b71571daa52979917f527a0e6eaff44f82c5233e43268f82b7b0c7973dff45ff1ef1bc3ea450

    Download Submit