Overview

overview

10

Static

static

3

456d70a38d...18.dll

windows7-x64

10

456d70a38d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 08:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    456d70a38d22a3938f2d83d5a2e550b6_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    456d70a38d22a3938f2d83d5a2e550b6

  • SHA1

    859d2bb1cadec73c6c909f36a306ded65850f454

  • SHA256

    86803947e0df0d2f334195ffad192a32487d6dcc71a31ee35895b40bc5da7181

  • SHA512

    02092683bb3867ce718d013b883329c20fb38c9b1af22ed9a1ea0ba739694d17514049c35831eeb2c277a0d1296931864f6a40029d3636b5f3eebd159de84922

  • SSDEEP

    49152:znRQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:TaqPoBhz1aRxcSUDk36SAEdhv

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3267) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\456d70a38d22a3938f2d83d5a2e550b6_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\456d70a38d22a3938f2d83d5a2e550b6_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:324
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    fcb9f3ff8493b1eedec171d4431e763b

    SHA1

    84a513530bb028531eac9486da8ab5dc45012418

    SHA256

    f931d6dff42cd43203b03e6aecd75ca7aee20df44dd80a91f850b95f1fc6cd68

    SHA512

    69d27d59e8201be4c6d58029626f0511b18bc09fb6a6874a8975ccc35bafd7001776c8a517f0be66caf9400c3e0558f3ae08cae2f65938befa5af9b6fb3844a3

    Download Submit