Overview

overview

10

Static

static

3

5fd7c5847a...18.dll

windows7-x64

10

5fd7c5847a...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5fd7c5847a979da93eccc83311c7d20c_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    5fd7c5847a979da93eccc83311c7d20c

  • SHA1

    19842decbad5349efd43bf0e5538829759d721df

  • SHA256

    70e3971f4e7d182d1c4f4d960342e4621aaa8e9bc2807b9963c2ba7fe02c9618

  • SHA512

    f54bc1a5e9598899467cc33466db1598a68aa3cd7ab4b94c3be831d5ae7c0f00c82df53767d17d627b61622040869d2fd40087b39a697253d2d1b42a634626d7

  • SSDEEP

    24576:MbLguVQhfdmMSirYbcMNgef0QeQjGT6SASk+RdhAdmv:MnFQqMSPbcBVQejT6SAARdhnv

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3161) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5fd7c5847a979da93eccc83311c7d20c_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5fd7c5847a979da93eccc83311c7d20c_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4468
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:3760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    235d6e4709cc75228765c5a8f323988b

    SHA1

    c804979d4dfc5d95e2fbba1aeb5049ee9f0ba9b8

    SHA256

    7501bfd06cd17850f4d2676b8254c48bef85526b810ec80d9e09bd665e76df61

    SHA512

    e077d4a52e718554802ffc208f14d5efa638942623a9461b5776eef44c625be465f283a2819840c4d427f20061e1d1e744632d890e77065537598d89bb91af03

    Download Submit