Overview

overview

10

Static

static

3

47cb345c8f...18.dll

windows7-x64

10

47cb345c8f...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 02:15

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    47cb345c8f7850274d485d98345b5ddd_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    47cb345c8f7850274d485d98345b5ddd

  • SHA1

    c4f0e83f39030ed5c43041ac2edce7167859f6e6

  • SHA256

    b4f1d2ac45324ec816f0b5bc9ccfecb77324a312f48a36a3c71ae9477668a513

  • SHA512

    bd39caf1246fdac03387e7938944e66f82966f08969752a817f221486ec5c8a5f6a3b984407df2e2a108076eed5d939172a452bfc834bfd2a66014f04aa47634

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P53DIe2sDg2y8KMfd:+DqPe1Cxcxk3ZAEUadZDbVDzy8KI

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3239) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\47cb345c8f7850274d485d98345b5ddd_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\47cb345c8f7850274d485d98345b5ddd_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4908
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2840
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:1768

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\mssecsvc.exe
          Filesize

          3.6MB

          MD5

          5f672b3389fce030e9e42c858ad1c929

          SHA1

          8bf9dcffa097967793f4a8a7c628662f45125fd2

          SHA256

          dbcdee0be0584c90b6d3d2dabb005c37ce49bab2d1538bba5462116b85df2140

          SHA512

          5b7efa9189858ba46b1d0951a9eee49b77098c898929b439cb1dbd1be8bf41f0db61a3e57a74d87262f3aacd4e4d1f562194e804869f6d247a6466a700670442

          Download Submit

        • C:\Windows\tasksche.exe
          Filesize

          3.4MB

          MD5

          42f0b341b5e17d4b0922f25e8073e4ab

          SHA1

          414ae46dc3a29aeef8f532c0f5e3849cd628d7b3

          SHA256

          aa8b37af8e862ec6190b393ca1a968c0382b4673f1c8811ca1d8ebcb4f903959

          SHA512

          618e179a1c793de111563304bd4bf9c8c50bbea5b2c96f381a81a46379ad66ca8ec0df9d0a4ff2a33659dd629ebab4c22a2c8af5d2b968d6eb02e0d519addad4

          Download Submit