Overview

overview

10

Static

static

3

6778f5c54d...18.dll

windows7-x64

10

6778f5c54d...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2024 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6778f5c54d5906dfde09a8d37fa7537d_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    6778f5c54d5906dfde09a8d37fa7537d

  • SHA1

    77c32c465392264a8b5ac49b1d4665d47e26d87b

  • SHA256

    b21afd7e789cabc476f4b371b53ea9b58f60fc4a6b9cdd900a3e66c2d22cafae

  • SHA512

    9e4f03690a494119060f13f476e76dade5f4cbd052d9bc873be837e7aa74067c10568f7e3ece8a0baaf400f5a798ed74f9aae5a62be547abf8754a2c8a32d4ed

  • SSDEEP

    49152:SnAQXMShacBVe/1INRx+TSqTdX1HkQo6SAARdhnv/Eau3RZAH:+DXhfBQ1aRxcSUDk36SAEdhvW3RiH

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3086) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6778f5c54d5906dfde09a8d37fa7537d_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6778f5c54d5906dfde09a8d37fa7537d_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:840
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    55080d7d11f67cfa57b37d6e69e79387

    SHA1

    22a09e9f793c5ad7affefab60c98d3758821c4a3

    SHA256

    edf132b59e8536178369a7f7383bba37248d90ad5eefbc6c3001ee68554514d6

    SHA512

    7116e86539844e2e279a3b22bd67ac7759dc9dc2f1d1f35a79466a4b53568d381bdff491809e80c126df23b08c529a0f4b4dcf88aea3b0426756a9a062b22e33

    Download Submit