Overview

overview

10

Static

static

3

fd7c451d53...18.dll

windows7-x64

10

fd7c451d53...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd7c451d538bde5e7f4c44f9adcd9f20_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    fd7c451d538bde5e7f4c44f9adcd9f20

  • SHA1

    52bca09f35d9c23bd96d5bbad1fd5e06a245190f

  • SHA256

    3950179ee45f03af2d6c1130d0db04ad3441c2befc7fb5a28460d5fc45f1beb8

  • SHA512

    fd2926b03f3680d2f9f05ed209c617f7e00069ee451e4bc2c1233dcf6d62f4f6bc414d3cd390fa9d66e814e1ab4364fa20ae0a58a4d496df7c07b250b43bcb0f

  • SSDEEP

    24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIq:znAQqMSPbcBVQej/

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3279) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd7c451d538bde5e7f4c44f9adcd9f20_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd7c451d538bde5e7f4c44f9adcd9f20_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3344
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4592
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    323b926c93cc6130bbb006a7cfaba379

    SHA1

    d6af0736828aa426508a94d60a42dd5001a0c28b

    SHA256

    63406e40a2ba679eca83b3a127ff2af9a7a02402574a82801a4f739fc901e6cf

    SHA512

    a96e3d82146f4270e46077428933f15b84db1630eb8a44e42754860b13b30297e2fdaaca0a4934294da3a8fcd99cac0c6f36cb4816a0fc7c45c7d0b01b9a4b25

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    df02556b80331232a43186bc3fa582a3

    SHA1

    44f8c4fee2c22e8728cc65871f168d7365c01368

    SHA256

    48361f23788cc27891f05c2d45b8a0cd4dfe8e8a45f1654fdb2a913609a6a64d

    SHA512

    412b30722673cb07fc6497a176e4d25ab166c6462996f7f2905622617c080339a6f027db19fd0bab0e778ee72b64ef53c6f0e158b6a49d1abd7bf36916d1fe81

    Download Submit