Overview

overview

10

Static

static

3

9a142dcdc5...18.dll

windows7-x64

10

9a142dcdc5...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 12:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a142dcdc57eac7225800aa114f1fdb5_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    9a142dcdc57eac7225800aa114f1fdb5

  • SHA1

    bc90302f32c9ac5d929b8e99829dfd42ec6ebc94

  • SHA256

    5b9009ee5b3987c5dc3f3e9a2521ec67ecb99c0a24e9350af7ff6fb885c96bad

  • SHA512

    e4c5916af04c3ab3d94bcd5bf8761293c748d3648f9d652945df5fcfbfc870fde3bf7e147b6944b39916e49a8f087369031a885a23077700e985a91888f9e9fe

  • SSDEEP

    49152:RnsEMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhnv:1fPoBhz1aRxcSUZk36SAEdhv

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3024) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a142dcdc57eac7225800aa114f1fdb5_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a142dcdc57eac7225800aa114f1fdb5_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4560
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    facec650314b579be8b7d63fe1bafcc6

    SHA1

    02cd1e367f17177a74159ccb8ce4919f72d51f7c

    SHA256

    b754ec6655c8fc7813078fb9339cdac8929dd41b1ba9cec3cec9bb267b1fccbc

    SHA512

    d937527b947ee72373716596b9cb0e7055ef4c187ff79997fcccefaa20ceb24871d767bf5afb069b6e3c8d75a3eba745b49c0d09c79a0541c3410afaa92e1636

    Download Submit