Overview

overview

10

Static

static

3

d0068c739e...18.dll

windows7-x64

10

d0068c739e...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0068c739eb772e954bcd76c4b013fdd_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    d0068c739eb772e954bcd76c4b013fdd

  • SHA1

    380f0c98dbee812b65bd133cb1f9a09a3173869e

  • SHA256

    5239f7bdb6d48f8d197d8df5228ef88e2e26c3d6e2da83a05c8518a736a54f4c

  • SHA512

    358e7b46024a72b4f5c0cec84c4a710d8e52a1c8743a1b36a56f85b6f15bfa6b60a5c490bee00f5abd255c56196fcbc9a7aceeb002b9ba53cc5af8d66395b4dd

  • SSDEEP

    49152:SntQNMSPbcBVQej/1INLJqqfHf0r7rKu60/:+2NPoBhz1aFqQHf0r7r7j

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2175) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0068c739eb772e954bcd76c4b013fdd_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0068c739eb772e954bcd76c4b013fdd_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4452
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1828
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    a9cb44129a7327e44d4dd57b66b6bcb8

    SHA1

    235dbbfb1d83e7bdc42438a259b73c019bd3cefd

    SHA256

    921c7e54eb8e8697f6d0035ad6113ca818c8fa9b3eb8853ea0f6a6019a8dea1e

    SHA512

    92c6dadedcad2bc4f2ed8ab73708f1cd682d155ded1f4e24095848933c07e00cba2d1074a6f3fd3ee3a59ff1d8ae1f3d6e35b417324fab2fc5a42fbb5b7cbdf8

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    682fad8db4fece183dd0ac77a20b49d4

    SHA1

    e01e60db1bfe0b5d508be835d298f7627f3a6bdf

    SHA256

    b2f53f4ea199e8e954335db47ac89dc7352f321af705d487de5cbe3e141d9136

    SHA512

    9481593c5da29375a1617212e3f2b3ed6ff75ee532d02178ebab02a966c750f0a1fbade26b409c265bbd5ce0b176c73b7a1383727e6181ab5442720c6f7e4977

    Download Submit