Overview

overview

10

Static

static

3

5f9712ebac...18.dll

windows7-x64

10

5f9712ebac...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f9712ebac8e01ad652eb22faf575303_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5f9712ebac8e01ad652eb22faf575303

  • SHA1

    1139a8bda8a7b5a9493838ff9f1f69a42b5bffe8

  • SHA256

    bcfac336d155a89cb2e09559499c8d87b8bd1a690cf075089a7173a874b2625e

  • SHA512

    c3b9a7095ccb3511b258b0b8d3c4db9eba8126cc2e7003f6f29645b89b323cd19477977ed61d79efdfd40f92aeedabc121b28760115240fd1ba1607b8e0eeaef

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRj+TSqTdX1HkQfSAARdhn:+DqPoBhz1aRjcSUDk8SAEdh

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3353) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f9712ebac8e01ad652eb22faf575303_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f9712ebac8e01ad652eb22faf575303_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4952
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4276
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    857018e3a113164751f35c9b2e081783

    SHA1

    c1c4a786ea314e10b514da19b03903463affccdf

    SHA256

    b9bb7fd86d9594c0de91bf427eb65b486fe704de0f2437da0df12a5ea9be7a24

    SHA512

    d02c4ec5b2763d7e9a09f5ed6051e382d3afff1aee08ce872210a109bd49c72dd3e77ccca15b3dd858678d7dca7818d48d8130ec51a459a4227a80c564dfc998

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    4c082b40c63985f83bbc68469f3947ae

    SHA1

    ff7819efe83ff2e009fb329fb590aa9208ff6d8d

    SHA256

    af4963c74d16ec93851286598e39d300899ae18dbb4e76a573e87ffa1746e15f

    SHA512

    8200bf925a451e505207ff9cbbc371ee179247baf4a07ecb69a1e8014720833055d533dabe629af77c5c3658370441bc2d01047ce3d0faf532a38278d116bcec

    Download Submit