Overview

overview

10

Static

static

3

6567e66330...18.dll

windows7-x64

10

6567e66330...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6567e663303386b7152d5fcab1f06cac_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    6567e663303386b7152d5fcab1f06cac

  • SHA1

    fc2ce59f87aa3688e20880d68b6bbb5cbffa2080

  • SHA256

    a6b18c8735800b87e039cf889ae0a87034d77353cd717f92a83815d3eb9cc5ba

  • SHA512

    f2a683e2dfa7c4e8b27ab9e58a846cd7978d78a0002a608da4550e9e96e14ed6ba82d5f40cd0b1dd7d662b3b9a10e3b723a5d416d25d2532f845ec588d3a24ec

  • SSDEEP

    12288:T1bLgmluCti62ybaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D:RbLgurihdmMSirYbcMNgef0

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3251) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6567e663303386b7152d5fcab1f06cac_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6567e663303386b7152d5fcab1f06cac_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2924
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    4287444bd0224adc97f03c4434d13360

    SHA1

    142647fa570eff9b2d2b9105083675486a89165b

    SHA256

    6e946bd162e069f25d081c7b94a0991c2285d6903e1567cc81a29110693a5827

    SHA512

    88a4974e6897723f466b49c478ca43c3c757eaa18743e7acf95ac805677352b256b28c006230da3ee6f5df6e592fd3b1ca962182ec14e2aaff4e8c280d26c380

    Download Submit