Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sEVVq8g1dJ.dll

Overview

General Information

Sample name:sEVVq8g1dJ.dll
renamed because original name is a hash value
Original sample name:c7e5be99bbe892922a0ab14dc429f830.dll
Analysis ID:1591359
MD5:c7e5be99bbe892922a0ab14dc429f830
SHA1:504b5f58e7248b351843c93beb0b5cca3888691a
SHA256:743d97c117a7c52da04bc432fa5ed53855eab3a0f7c0f7d795cdf83b51fad1be
Tags:dllexeuser-mentality
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to download HTTP data from a sinkholed server
Yara detected Wannacry ransomware
AI detected suspicious sample
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7300 cmdline: loaddll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7376 cmdline: rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7360 cmdline: rundll32.exe C:\Users\user\Desktop\sEVVq8g1dJ.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvc.exe (PID: 7400 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 1D18214215A7D82EE587DCE2FEFE82C8)
    • rundll32.exe (PID: 7524 cmdline: rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvc.exe (PID: 7540 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 1D18214215A7D82EE587DCE2FEFE82C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sEVVq8g1dJ.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    sEVVq8g1dJ.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x353d0:$x3: tasksche.exe
    • 0x455e0:$x3: tasksche.exe
    • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x45634:$x5: WNcry@2ol7
    • 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    • 0x3028:$x7: mssecsvc.exe
    • 0x120ac:$x7: mssecsvc.exe
    • 0x1b3b4:$x7: mssecsvc.exe
    • 0x353a8:$x8: C:\%s\qeriuwjhrf
    • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0x3014:$s1: C:\%s\%s
    • 0x12098:$s1: C:\%s\%s
    • 0x1b39c:$s1: C:\%s\%s
    • 0x353bc:$s1: C:\%s\%s
    • 0x45534:$s3: cmd.exe /c "%s"
    • 0x77a88:$s4: msg/m_portuguese.wnry
    • 0x326f0:$s5: \\192.168.56.20\IPC$
    • 0x1fae5:$s6: \\172.16.99.5\IPC$
    • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    sEVVq8g1dJ.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\mssecsvc.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      C:\Windows\mssecsvc.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
      • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
      • 0x3136c:$x3: tasksche.exe
      • 0x4157c:$x3: tasksche.exe
      • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
      • 0x415d0:$x5: WNcry@2ol7
      • 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
      • 0xe048:$x7: mssecsvc.exe
      • 0x17350:$x7: mssecsvc.exe
      • 0x31344:$x8: C:\%s\qeriuwjhrf
      • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
      • 0xe034:$s1: C:\%s\%s
      • 0x17338:$s1: C:\%s\%s
      • 0x31358:$s1: C:\%s\%s
      • 0x414d0:$s3: cmd.exe /c "%s"
      • 0x73a24:$s4: msg/m_portuguese.wnry
      • 0x2e68c:$s5: \\192.168.56.20\IPC$
      • 0x1ba81:$s6: \\172.16.99.5\IPC$
      • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
      • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
      • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
      • 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
      C:\Windows\mssecsvc.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
      • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
      • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
      • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
      • 0x1d439:$s1: __TREEID__PLACEHOLDER__
      • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
      • 0x1f508:$s1: __TREEID__PLACEHOLDER__
      • 0x20570:$s1: __TREEID__PLACEHOLDER__
      • 0x215d8:$s1: __TREEID__PLACEHOLDER__
      • 0x22640:$s1: __TREEID__PLACEHOLDER__
      • 0x236a8:$s1: __TREEID__PLACEHOLDER__
      • 0x24710:$s1: __TREEID__PLACEHOLDER__
      • 0x25778:$s1: __TREEID__PLACEHOLDER__
      • 0x267e0:$s1: __TREEID__PLACEHOLDER__
      • 0x27848:$s1: __TREEID__PLACEHOLDER__
      • 0x288b0:$s1: __TREEID__PLACEHOLDER__
      • 0x29918:$s1: __TREEID__PLACEHOLDER__
      • 0x2a980:$s1: __TREEID__PLACEHOLDER__
      • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
      • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
      • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
      • 0x2e340:$s1: __TREEID__PLACEHOLDER__
      C:\Windows\mssecsvc.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
      C:\Windows\mssecsvc.exeWin32_Ransomware_WannaCryunknownReversingLabs
      • 0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
      • 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ...
      • 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ...
      • 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
      • 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000000.2205283824.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000008.00000002.2213030622.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          00000005.00000000.2175675999.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            00000005.00000002.2182825165.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              00000005.00000000.2175794050.0000000000710000.00000002.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                Click to see the 9 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                5.0.mssecsvc.exe.7100a4.1.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                  5.0.mssecsvc.exe.7100a4.1.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                  • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
                  • 0xf4d8:$x3: tasksche.exe
                  • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
                  • 0xf52c:$x5: WNcry@2ol7
                  • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
                  • 0xf42c:$s3: cmd.exe /c "%s"
                  • 0x41980:$s4: msg/m_portuguese.wnry
                  • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
                  • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
                  • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
                  5.0.mssecsvc.exe.7100a4.1.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
                  • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
                  • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
                  5.0.mssecsvc.exe.7100a4.1.unpackWin32_Ransomware_WannaCryunknownReversingLabs
                  • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
                  • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
                  5.2.mssecsvc.exe.7100a4.1.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                    Click to see the 47 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-14T22:42:17.647296+010020315153Misc activity104.16.166.22880192.168.2.549718TCP
                    2025-01-14T22:42:20.672247+010020315153Misc activity104.16.166.22880192.168.2.549719TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-14T22:42:17.144000+010020242911A Network Trojan was detected192.168.2.5564281.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-14T22:42:17.646998+010020242981A Network Trojan was detected192.168.2.549718104.16.166.22880TCP
                    2025-01-14T22:42:20.671466+010020242981A Network Trojan was detected192.168.2.549719104.16.166.22880TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-14T22:42:17.646998+010020242991A Network Trojan was detected192.168.2.549718104.16.166.22880TCP
                    2025-01-14T22:42:20.671466+010020242991A Network Trojan was detected192.168.2.549719104.16.166.22880TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-14T22:42:17.646998+010020243011A Network Trojan was detected192.168.2.549718104.16.166.22880TCP
                    2025-01-14T22:42:20.671466+010020243011A Network Trojan was detected192.168.2.549719104.16.166.22880TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-14T22:42:17.646998+010020243021A Network Trojan was detected192.168.2.549718104.16.166.22880TCP
                    2025-01-14T22:42:20.671466+010020243021A Network Trojan was detected192.168.2.549719104.16.166.22880TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-14T22:42:17.646998+010028033043Unknown Traffic192.168.2.549718104.16.166.22880TCP
                    2025-01-14T22:42:20.671466+010028033043Unknown Traffic192.168.2.549719104.16.166.22880TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: sEVVq8g1dJ.dllAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Windows\mssecsvc.exeAvira: detection malicious, Label: TR/Ransom.Gen
                    Multi AV Scanner detection for dropped file
                    Source: C:\Windows\mssecsvc.exeReversingLabs: Detection: 96%
                    Multi AV Scanner detection for submitted file
                    Source: sEVVq8g1dJ.dllVirustotal: Detection: 93%Perma Link
                    Source: sEVVq8g1dJ.dllReversingLabs: Detection: 90%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.8% probability
                    Machine Learning detection for dropped file
                    Source: C:\Windows\mssecsvc.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: sEVVq8g1dJ.dllJoe Sandbox ML: detected
                    Source: sEVVq8g1dJ.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.5:49718 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.5:49719 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.5:49718 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.5:49718 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.5:49719 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.5:49718 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.5:49719 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.5:49719 -> 104.16.166.228:80
                    Tries to download HTTP data from a sinkholed server
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2025 21:42:17 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9020cb87fd8215a3-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2025 21:42:20 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9020cb99fa9915c7-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 104.16.166.228 104.16.166.228
                    Source: Network trafficSuricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.5:56428 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49718 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49719 -> 104.16.166.228:80
                    Source: Network trafficSuricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.5:49718
                    Source: Network trafficSuricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.5:49719
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                    Source: mssecsvc.exe.4.drString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                    Source: mssecsvc.exe, 00000005.00000002.2183334514.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com#
                    Source: mssecsvc.exe, 00000008.00000002.2213851901.0000000000B98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com)
                    Source: mssecsvc.exe, 00000005.00000002.2183334514.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2213851901.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2213851901.0000000000BCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                    Source: mssecsvc.exe, 00000005.00000002.2183334514.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2213851901.0000000000B98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/L
                    Source: mssecsvc.exe, 00000005.00000002.2183334514.0000000000C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/o
                    Source: mssecsvc.exe, 00000005.00000002.2183334514.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comr
                    Source: mssecsvc.exe, 00000008.00000002.2213851901.0000000000BFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.kryptoslogic.com

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Yara detected Wannacry ransomware
                    Source: Yara matchFile source: sEVVq8g1dJ.dll, type: SAMPLE
                    Source: Yara matchFile source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.2205283824.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2213030622.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.2175675999.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2182825165.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.2175794050.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2213198887.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.2205486210.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 7400, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 7540, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Windows\mssecsvc.exe, type: DROPPED

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: sEVVq8g1dJ.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: sEVVq8g1dJ.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 00000005.00000000.2175794050.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000008.00000002.2213198887.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000008.00000000.2205486210.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvc.exeJump to behavior
                    Source: mssecsvc.exe.4.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
                    Source: sEVVq8g1dJ.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                    Source: sEVVq8g1dJ.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: sEVVq8g1dJ.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 00000005.00000000.2175794050.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000008.00000002.2213198887.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000008.00000000.2205486210.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: sEVVq8g1dJ.dll, mssecsvc.exe.4.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
                    Source: classification engineClassification label: mal100.rans.evad.winDLL@15/1@1/1
                    Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,5_2_00407CE0
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,5_2_00408090
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
                    Source: sEVVq8g1dJ.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sEVVq8g1dJ.dll,PlayGame
                    Source: sEVVq8g1dJ.dllVirustotal: Detection: 93%
                    Source: sEVVq8g1dJ.dllReversingLabs: Detection: 90%
                    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll"
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sEVVq8g1dJ.dll,PlayGame
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",PlayGame
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\sEVVq8g1dJ.dll,PlayGameJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",PlayGameJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: sEVVq8g1dJ.dllStatic file information: File size 5267459 > 1048576
                    Source: sEVVq8g1dJ.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

                    Persistence and Installation Behavior

                    barindex
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvc.exeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00407C40
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                    Source: mssecsvc.exe, 00000008.00000002.2213851901.0000000000BFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv
                    Source: mssecsvc.exe, 00000005.00000002.2183334514.0000000000C46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                    Source: mssecsvc.exe, 00000005.00000002.2183334514.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2213851901.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2213851901.0000000000BFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: mssecsvc.exe, 00000005.00000002.2183334514.0000000000C7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1Jump to behavior

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Service Execution                    		4
                    Windows Service                    		4
                    Windows Service                    		12
                    Masquerading                    		OS Credential Dumping11
                    Security Software Discovery                    		Remote ServicesData from Local System2
                    Non-Application Layer Protocol                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Rundll32                    		LSASS Memory1
                    Virtualization/Sandbox Evasion                    		Remote Desktop ProtocolData from Removable Media2
                    Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		1
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    System Information Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive11
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591359 Sample: sEVVq8g1dJ.dll Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 30 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 2->30 34 Tries to download HTTP data from a sinkholed server 2->34 36 Suricata IDS alerts for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 5 other signatures 2->40 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 1 8->10         started        12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 conhost.exe 8->17         started        signatures6 19 mssecsvc.exe 6 10->19         started        48 Drops executables to the windows directory (C:\Windows) and starts them 12->48 23 mssecsvc.exe 6 12->23         started        25 rundll32.exe 15->25         started        process7 dnsIp8 32 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 104.16.166.228, 49718, 49719, 80 CLOUDFLARENETUS United States 19->32 42 Antivirus detection for dropped file 19->42 44 Multi AV Scanner detection for dropped file 19->44 46 Machine Learning detection for dropped file 19->46 28 C:\Windows\mssecsvc.exe, PE32 25->28 dropped file9 signatures10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    sEVVq8g1dJ.dll93%VirustotalBrowse
                    sEVVq8g1dJ.dll90%ReversingLabsWin32.Ransomware.WannaCry
                    sEVVq8g1dJ.dll100%AviraTR/Ransom.Gen
                    sEVVq8g1dJ.dll100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Windows\mssecsvc.exe100%AviraTR/Ransom.Gen
                    C:\Windows\mssecsvc.exe100%Joe Sandbox ML
                    C:\Windows\mssecsvc.exe96%ReversingLabsWin32.Ransomware.WannaCry

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comr0%Avira URL Cloudsafe
                    http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com)0%Avira URL Cloudsafe
                    https://www.kryptoslogic.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                    		104.16.166.228
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.commssecsvc.exe.4.drfalse
                          		high
                          https://www.kryptoslogic.commssecsvc.exe, 00000008.00000002.2213851901.0000000000BFA000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/omssecsvc.exe, 00000005.00000002.2183334514.0000000000C46000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Lmssecsvc.exe, 00000005.00000002.2183334514.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2213851901.0000000000B98000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comrmssecsvc.exe, 00000005.00000002.2183334514.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com#mssecsvc.exe, 00000005.00000002.2183334514.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com)mssecsvc.exe, 00000008.00000002.2213851901.0000000000B98000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.16.166.228
                                		www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comUnited States
                                		13335CLOUDFLARENETUSfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1591359
                                Start date and time:2025-01-14 22:41:12 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 2m 39s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:sEVVq8g1dJ.dll
                                renamed because original name is a hash value
                                Original Sample Name:c7e5be99bbe892922a0ab14dc429f830.dll
                                Detection:MAL
                                Classification:mal100.rans.evad.winDLL@15/1@1/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 2
                                • Number of non-executed functions: 3
                                Cookbook Comments:
                                • Found application associated with file extension: .dll
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.246.45
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                16:42:18API Interceptor1x Sleep call for process: loaddll32.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.16.166.22887c6RORO31.dllGet hashmaliciousWannacryBrowse
                                • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                5Q6ffmX9tQ.dllGet hashmaliciousWannacryBrowse
                                • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                9nNO3SHiV1.dllGet hashmaliciousWannacryBrowse
                                • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                zbRmQrzaHY.dllGet hashmaliciousWannacryBrowse
                                • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
                                1w3BDu68Sg.dllGet hashmaliciousWannacryBrowse
                                • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comhsmSW6Eifl.dllGet hashmaliciousWannacryBrowse
                                • 104.16.167.228
                                87c6RORO31.dllGet hashmaliciousWannacryBrowse
                                • 104.16.166.228
                                Yx3rRuVx3c.dllGet hashmaliciousWannacryBrowse
                                • 104.16.167.228
                                5Q6ffmX9tQ.dllGet hashmaliciousWannacryBrowse
                                • 104.16.166.228
                                9nNO3SHiV1.dllGet hashmaliciousWannacryBrowse
                                • 104.16.166.228
                                k6fBkyS1R6.dllGet hashmaliciousWannacryBrowse
                                • 104.16.167.228
                                mCgW5qofxC.dllGet hashmaliciousWannacryBrowse
                                • 104.16.167.228
                                6KJ3FjgeLv.dllGet hashmaliciousWannacryBrowse
                                • 104.16.167.228
                                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comGet hashmaliciousUnknownBrowse
                                • 104.16.166.228
                                http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comGet hashmaliciousUnknownBrowse
                                • 104.16.166.228

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUSK064a7Rfk7.msiGet hashmaliciousUnknownBrowse
                                • 104.21.37.86
                                http://monitor.linkwhat.com/tl4tl4726Qz107cK770xR10599lj360px17lb07468gl70015oV95328Kn41253VG39381FP5605427918==aru2826664Get hashmaliciousPhisherBrowse
                                • 104.22.8.215
                                https://gm.zonimathor.ru/qNd7Get hashmaliciousUnknownBrowse
                                • 104.21.48.1
                                logitix.pdfGet hashmaliciousHTMLPhisherBrowse
                                • 104.17.25.14
                                XML-702.msiGet hashmaliciousAteraAgentBrowse
                                • 104.18.18.106
                                Default3.aspxGet hashmaliciousUnknownBrowse
                                • 104.21.83.41
                                EFT_Payment_Notification_Gheenirrigation.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 104.17.25.14
                                Document_31055.pdfGet hashmaliciousUnknownBrowse
                                • 104.17.25.14
                                https://drive.google.com/file/d/1TF-huc4s6nOnHpT977ywO8Fj-NERebnm/view?usp=sharing_eip&ts=6786926eGet hashmaliciousUnknownBrowse
                                • 1.1.1.1
                                https://savory-sweet-felidae-psrnd.glitch.me/Get hashmaliciousHTMLPhisherBrowse
                                • 104.26.12.205

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Windows\mssecsvc.exe

                                Download File
                                Process:C:\Windows\SysWOW64\rundll32.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3723264
                                Entropy (8bit):7.959626190294363
                                Encrypted:false
                                SSDEEP:98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2RrT8:wDqPe1Cxcxk3ZAEUadzR8yc4RrT8
                                MD5:1D18214215A7D82EE587DCE2FEFE82C8
                                SHA1:94E03016EDAB83D00A1E04D694ACF843900EEA1C
                                SHA-256:3E6E7B5F98B88DB17D761C39F53E7F1FF0E88B406554089F1C428A4407A92435
                                SHA-512:8A29960D3A6368E5C680C12CC73BA1E6A4CB82F3CAA5360E9D6E6D22CF23B838F34595DA3EBEFC6A532AB825FE40A182BA28AAD309C5B041FE42A4CBFCFB7A9C
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 96%
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L.....................08...................@...........................f......................................................1.T.5..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc...T.5...1...5.. ..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.40371612950774
                                TrID:
                                • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                • Generic Win/DOS Executable (2004/3) 0.20%
                                • DOS Executable Generic (2002/1) 0.20%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:sEVVq8g1dJ.dll
                                File size:5'267'459 bytes
                                MD5:c7e5be99bbe892922a0ab14dc429f830
                                SHA1:504b5f58e7248b351843c93beb0b5cca3888691a
                                SHA256:743d97c117a7c52da04bc432fa5ed53855eab3a0f7c0f7d795cdf83b51fad1be
                                SHA512:b5fdc12878ae631da11a90b8807531190bb98b99ac89779917c61fe22a9035f1c6100df5f3b939775b2157338e16c10b4790bcf48a688bf73557fca94b33ad59
                                SSDEEP:98304:MDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2RrT:MDqPe1Cxcxk3ZAEUadzR8yc4RrT
                                TLSH:E33633A5932CA2FCF1051DF044678926A7733C7567BA4A1F8BD046A70D43B6FAFD0A02
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                                File Icon

                                Icon Hash:7ae282899bbab082

                                Static PE Info

                                General

                                Entrypoint:0x100011e9
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x10000000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                DLL Characteristics:
                                Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:2e5708ae5fed0403e8117c645fb23e5b

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                push ebx
                                mov ebx, dword ptr [ebp+08h]
                                push esi
                                mov esi, dword ptr [ebp+0Ch]
                                push edi
                                mov edi, dword ptr [ebp+10h]
                                test esi, esi
                                jne 00007F97E4F7F59Bh
                                cmp dword ptr [10003140h], 00000000h
                                jmp 00007F97E4F7F5B8h
                                cmp esi, 01h
                                je 00007F97E4F7F597h
                                cmp esi, 02h
                                jne 00007F97E4F7F5B4h
                                mov eax, dword ptr [10003150h]
                                test eax, eax
                                je 00007F97E4F7F59Bh
                                push edi
                                push esi
                                push ebx
                                call eax
                                test eax, eax
                                je 00007F97E4F7F59Eh
                                push edi
                                push esi
                                push ebx
                                call 00007F97E4F7F4AAh
                                test eax, eax
                                jne 00007F97E4F7F596h
                                xor eax, eax
                                jmp 00007F97E4F7F5E0h
                                push edi
                                push esi
                                push ebx
                                call 00007F97E4F7F35Ch
                                cmp esi, 01h
                                mov dword ptr [ebp+0Ch], eax
                                jne 00007F97E4F7F59Eh
                                test eax, eax
                                jne 00007F97E4F7F5C9h
                                push edi
                                push eax
                                push ebx
                                call 00007F97E4F7F486h
                                test esi, esi
                                je 00007F97E4F7F597h
                                cmp esi, 03h
                                jne 00007F97E4F7F5B8h
                                push edi
                                push esi
                                push ebx
                                call 00007F97E4F7F475h
                                test eax, eax
                                jne 00007F97E4F7F595h
                                and dword ptr [ebp+0Ch], eax
                                cmp dword ptr [ebp+0Ch], 00000000h
                                je 00007F97E4F7F5A3h
                                mov eax, dword ptr [10003150h]
                                test eax, eax
                                je 00007F97E4F7F59Ah
                                push edi
                                push esi
                                push ebx
                                call eax
                                mov dword ptr [ebp+0Ch], eax
                                mov eax, dword ptr [ebp+0Ch]
                                pop edi
                                pop esi
                                pop ebx
                                pop ebp
                                retn 000Ch
                                jmp dword ptr [10002028h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [ C ] VS98 (6.0) build 8168
                                • [C++] VS98 (6.0) build 8168
                                • [RES] VS98 (6.0) cvtres build 1720
                                • [LNK] VS98 (6.0) imp/exp build 8168

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x28c0x10008de9a2cb31e4c74bd008b871d14bfafcFalse0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x20000x1d80x10003dd394f95ab218593f2bc8eb65184db4False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x30000x1540x1000fe5022c5b5d015ad38b2b77fc437a5cbFalse0.016845703125Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 00.085238686413312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x40000x5000600x50100095394a2e4dde0451833782769ed6c9ccunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x5050000x2ac0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                W0x40600x500000dataEnglishUnited States0.8770952224731445

                                Imports

                                DLLImport
                                KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                                MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf

                                Exports

                                NameOrdinalAddress
                                PlayGame10x10001114

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2025-01-14T22:42:17.144000+01002024291ET MALWARE Possible WannaCry DNS Lookup 11192.168.2.5564281.1.1.153UDP
                                2025-01-14T22:42:17.646998+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549718104.16.166.22880TCP
                                2025-01-14T22:42:17.646998+01002024298ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 11192.168.2.549718104.16.166.22880TCP
                                2025-01-14T22:42:17.646998+01002024299ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 21192.168.2.549718104.16.166.22880TCP
                                2025-01-14T22:42:17.646998+01002024301ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 41192.168.2.549718104.16.166.22880TCP
                                2025-01-14T22:42:17.646998+01002024302ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 51192.168.2.549718104.16.166.22880TCP
                                2025-01-14T22:42:17.647296+01002031515ET MALWARE Known Sinkhole Response Kryptos Logic3104.16.166.22880192.168.2.549718TCP
                                2025-01-14T22:42:20.671466+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549719104.16.166.22880TCP
                                2025-01-14T22:42:20.671466+01002024298ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 11192.168.2.549719104.16.166.22880TCP
                                2025-01-14T22:42:20.671466+01002024299ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 21192.168.2.549719104.16.166.22880TCP
                                2025-01-14T22:42:20.671466+01002024301ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 41192.168.2.549719104.16.166.22880TCP
                                2025-01-14T22:42:20.671466+01002024302ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 51192.168.2.549719104.16.166.22880TCP
                                2025-01-14T22:42:20.672247+01002031515ET MALWARE Known Sinkhole Response Kryptos Logic3104.16.166.22880192.168.2.549719TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 14, 2025 22:42:17.161802053 CET4971880192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:17.166656017 CET8049718104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:17.166728973 CET4971880192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:17.166876078 CET4971880192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:17.171695948 CET8049718104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:17.646943092 CET8049718104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:17.646997929 CET4971880192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:17.647105932 CET4971880192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:17.647295952 CET8049718104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:17.647631884 CET4971880192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:17.651876926 CET8049718104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:20.052269936 CET4971980192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:20.057302952 CET8049719104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:20.057415962 CET4971980192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:20.057708025 CET4971980192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:20.062561989 CET8049719104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:20.671386003 CET8049719104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:20.671466112 CET4971980192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:20.671561956 CET4971980192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:20.672246933 CET8049719104.16.166.228192.168.2.5
                                Jan 14, 2025 22:42:20.672449112 CET4971980192.168.2.5104.16.166.228
                                Jan 14, 2025 22:42:20.676629066 CET8049719104.16.166.228192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 14, 2025 22:42:17.144000053 CET5642853192.168.2.51.1.1.1
                                Jan 14, 2025 22:42:17.153270006 CET53564281.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 14, 2025 22:42:17.144000053 CET192.168.2.51.1.1.10x7f85Standard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 14, 2025 22:42:17.153270006 CET1.1.1.1192.168.2.50x7f85No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.16.166.228A (IP address)IN (0x0001)false
                                Jan 14, 2025 22:42:17.153270006 CET1.1.1.1192.168.2.50x7f85No error (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com104.16.167.228A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549718104.16.166.228807400C:\Windows\mssecsvc.exe
                                TimestampBytes transferredDirectionData
                                Jan 14, 2025 22:42:17.166876078 CET100OUTGET / HTTP/1.1
                                Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                Cache-Control: no-cache
                                Jan 14, 2025 22:42:17.646943092 CET778INHTTP/1.1 200 OK
                                Date: Tue, 14 Jan 2025 21:42:17 GMT
                                Content-Type: text/html
                                Content-Length: 607
                                Connection: close
                                Server: cloudflare
                                CF-RAY: 9020cb87fd8215a3-EWR
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED]
                                Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.549719104.16.166.228807540C:\Windows\mssecsvc.exe
                                TimestampBytes transferredDirectionData
                                Jan 14, 2025 22:42:20.057708025 CET100OUTGET / HTTP/1.1
                                Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                Cache-Control: no-cache
                                Jan 14, 2025 22:42:20.671386003 CET778INHTTP/1.1 200 OK
                                Date: Tue, 14 Jan 2025 21:42:20 GMT
                                Content-Type: text/html
                                Content-Length: 607
                                Connection: close
                                Server: cloudflare
                                CF-RAY: 9020cb99fa9915c7-EWR
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED]
                                Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:16:42:15
                                Start date:14/01/2025
                                Path:C:\Windows\System32\loaddll32.exe
                                Wow64 process (32bit):true
                                Commandline:loaddll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll"
                                Imagebase:0x220000
                                File size:126'464 bytes
                                MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:1
                                Start time:16:42:15
                                Start date:14/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:16:42:15
                                Start date:14/01/2025
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:16:42:15
                                Start date:14/01/2025
                                Path:C:\Windows\SysWOW64\rundll32.exe
                                Wow64 process (32bit):true
                                Commandline:rundll32.exe C:\Users\user\Desktop\sEVVq8g1dJ.dll,PlayGame
                                Imagebase:0x700000
                                File size:61'440 bytes
                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:16:42:15
                                Start date:14/01/2025
                                Path:C:\Windows\SysWOW64\rundll32.exe
                                Wow64 process (32bit):true
                                Commandline:rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",#1
                                Imagebase:0x700000
                                File size:61'440 bytes
                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:16:42:15
                                Start date:14/01/2025
                                Path:C:\Windows\mssecsvc.exe
                                Wow64 process (32bit):true
                                Commandline:C:\WINDOWS\mssecsvc.exe
                                Imagebase:0x400000
                                File size:3'723'264 bytes
                                MD5 hash:1D18214215A7D82EE587DCE2FEFE82C8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2175675999.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2182825165.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2175794050.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.2175794050.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 96%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:7
                                Start time:16:42:18
                                Start date:14/01/2025
                                Path:C:\Windows\SysWOW64\rundll32.exe
                                Wow64 process (32bit):true
                                Commandline:rundll32.exe "C:\Users\user\Desktop\sEVVq8g1dJ.dll",PlayGame
                                Imagebase:0x700000
                                File size:61'440 bytes
                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:16:42:18
                                Start date:14/01/2025
                                Path:C:\Windows\mssecsvc.exe
                                Wow64 process (32bit):true
                                Commandline:C:\WINDOWS\mssecsvc.exe
                                Imagebase:0x400000
                                File size:3'723'264 bytes
                                MD5 hash:1D18214215A7D82EE587DCE2FEFE82C8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2205283824.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2213030622.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2213198887.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2213198887.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2205486210.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.2205486210.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:36.3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:57.9%
                                  Total number of Nodes:38
                                  Total number of Limit Nodes:2

                                  Callgraph

                                  Executed Functions

                                  Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2182759046.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.2182737252.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182802534.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182879323.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                  • Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
                                  • Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
                                  • Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59
                                  Function 00408140 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
                                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
                                  • InternetCloseHandle.WININET(00000000), ref: 004081A7
                                  • InternetCloseHandle.WININET(00000000), ref: 004081AB
                                    • Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                    • Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5
                                  • InternetCloseHandle.WININET(00000000), ref: 004081BC
                                  • InternetCloseHandle.WININET(00000000), ref: 004081BF
                                  Strings
                                  • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2182759046.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.2182737252.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182802534.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182879323.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandle$Open$FileModuleName__p___argc
                                  • String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
                                  • API String ID: 2010709392-2942426231
                                  • Opcode ID: ec133b43de4331460eff2a0b2c8cd404513b79e1c5a5deea9d12a904249ad51c
                                  • Instruction ID: e18cae5e57e59901b1837d80ae8654563a660de2be6bc36b6f573cb3739cdf66
                                  • Opcode Fuzzy Hash: ec133b43de4331460eff2a0b2c8cd404513b79e1c5a5deea9d12a904249ad51c
                                  • Instruction Fuzzy Hash: AB0175719043206EE310EF749C01BAF7BE9EF85750F01042FF984E6280EAB5981487A7

                                  Non-executed Functions

                                  Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 26 407ce0-407cfb GetModuleHandleW 27 407d01-407d43 GetProcAddress * 4 26->27 28 407f08-407f14 26->28 27->28 29 407d49-407d4f 27->29 29->28 30 407d55-407d5b 29->30 30->28 31 407d61-407d63 30->31 31->28 32 407d69-407d7e FindResourceA 31->32 32->28 33 407d84-407d8e LoadResource 32->33 33->28 34 407d94-407da1 LockResource 33->34 34->28 35 407da7-407db3 SizeofResource 34->35 35->28 36 407db9-407e4e sprintf * 2 MoveFileExA 35->36 36->28 38 407e54-407ef0 36->38 38->28 42 407ef2-407f01 38->42 42->28
                                  APIs
                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
                                  • GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
                                  • GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
                                  • GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
                                  • GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
                                  • FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
                                  • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
                                  • LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
                                  • SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
                                  • sprintf.MSVCRT ref: 00407E01
                                  • sprintf.MSVCRT ref: 00407E18
                                  • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2182759046.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.2182737252.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182802534.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182879323.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
                                  • String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
                                  • API String ID: 4072214828-1507730452
                                  • Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                  • Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
                                  • Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
                                  • Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA
                                  Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54serviceCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • sprintf.MSVCRT ref: 00407C56
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
                                  • CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
                                  • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2182759046.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.2182737252.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182802534.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182879323.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
                                  • String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
                                  • API String ID: 3340711343-4063779371
                                  • Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                  • Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
                                  • Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
                                  • Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF
                                  Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49serviceCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
                                  • __p___argc.MSVCRT ref: 004080A5
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
                                  • OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
                                  • CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
                                  • StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2182759046.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000005.00000002.2182737252.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182802534.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182825165.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182879323.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.2182965463.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
                                  • String ID: mssecsvc2.0
                                  • API String ID: 4274534310-3729025388
                                  • Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                  • Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
                                  • Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
                                  • Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF