Overview

overview

10

Static

static

3

76b47e0829...18.dll

windows7-x64

10

76b47e0829...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 02:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76b47e0829177757b39cf3c3672049dd_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    76b47e0829177757b39cf3c3672049dd

  • SHA1

    dbab88d0ccdff8a78012894b26e5845a2e3597fb

  • SHA256

    e228fc7b9ac453a1df8cbffcb11556e54671ccd3d2b5f0726b03974259d65972

  • SHA512

    7cb17c53fbfdad0f124e298cb7d00085bec7fa5ac3c0a76ce2eb2dbdf6c8832dab0dd3dbf48a324c324eae582526af1619563c98d2bdf8080268777135c800a0

  • SSDEEP

    24576:RbLgurihdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLJX6SAScROAdmv:RnnMSPbcBVQej/1INN6SA7ROnv

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3222) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\76b47e0829177757b39cf3c3672049dd_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\76b47e0829177757b39cf3c3672049dd_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1104
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    fc8673c4cdafdd35edfa46a7b22d2247

    SHA1

    d41438176bf6a7bcfa915abc900b1313164de44a

    SHA256

    40bc9c854b27df9090b52786e6b9032cd1a5c45e05456be6af3e543f27a31bd8

    SHA512

    77fb76753bc405a27ab02c3916cb1317dc9ba1ea64f2f4c451c005882b0932939dc77bcbb292bc6145b0f3c25a1d318680cb32ec88cfe09bbe5f14d0950b217c

    Download Submit