Windows
Analysis Report
mssecsvc.exe.exe
Overview
General Information
Detection
Wannacry
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to download HTTP data from a sinkholed server
Yara detected Wannacry ransomware
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Connects to several IPs in different countries
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match
Classification
- System is w7x64
mssecsvc.exe.exe (PID: 3504 cmdline:
"C:\Users\ user\Deskt op\mssecsv c.exe.exe" MD5: 0C694193CEAC8BFB016491FFB534EB7C) tasksche.exe (PID: 3792 cmdline:
C:\WINDOWS \tasksche. exe /i MD5: 7F7CCAA16FB15EB1C7399D422F8363E8)
mssecsvc.exe.exe (PID: 3676 cmdline:
C:\Users\u ser\Deskto p\mssecsvc .exe.exe - m security MD5: 0C694193CEAC8BFB016491FFB534EB7C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
WannaCryptor, WannaCry, WannaCrypt | WannaCry is ransomware that contains a worm component enabled by the EternalBlue exploit. It attempts to use vulnerabilities in the Windows SMBv1 server to remotely compromise systems, encrypt files, and spread to other hosts. Systems that have installed the MS17-010 patch are not vulnerable to the exploits used. The spreading was stopped about 8 hours after initial outbreak due to triggering a kill switch domain. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) |
| |
WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | Florian Roth (based on rule by US CERT) |
| |
wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team |
| |
Win32_Ransomware_WannaCry | unknown | ReversingLabs |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
WannaCry_Ransomware | Detects WannaCry Ransomware | Florian Roth (with the help of binar.ly) |
| |
wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team |
| |
Win32_Ransomware_WannaCry | unknown | ReversingLabs |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team |
| |
wanna_cry_ransomware_generic | detects wannacry ransomware on disk and in virtual page | us-cert code analysis team |
| |
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
JoeSecurity_Wannacry | Yara detected Wannacry ransomware | Joe Security | ||
Click to see the 15 entries |
System Summary |
---|
Source: | Author: frack113: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T22:13:26.998295+0100 | 2031515 | 3 | Misc activity | 104.16.166.228 | 80 | 192.168.2.22 | 49161 | TCP |
2025-03-28T22:13:27.867818+0100 | 2031515 | 3 | Misc activity | 104.16.166.228 | 80 | 192.168.2.22 | 49162 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T22:13:26.695035+0100 | 2024291 | 1 | A Network Trojan was detected | 192.168.2.22 | 54562 | 8.8.8.8 | 53 | UDP |
2025-03-28T22:13:27.565802+0100 | 2024291 | 1 | A Network Trojan was detected | 192.168.2.22 | 52917 | 8.8.8.8 | 53 | UDP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T22:13:26.998238+0100 | 2024298 | 1 | A Network Trojan was detected | 192.168.2.22 | 49161 | 104.16.166.228 | 80 | TCP |
2025-03-28T22:13:27.867162+0100 | 2024298 | 1 | A Network Trojan was detected | 192.168.2.22 | 49162 | 104.16.166.228 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T22:13:26.998238+0100 | 2024299 | 1 | A Network Trojan was detected | 192.168.2.22 | 49161 | 104.16.166.228 | 80 | TCP |
2025-03-28T22:13:27.867162+0100 | 2024299 | 1 | A Network Trojan was detected | 192.168.2.22 | 49162 | 104.16.166.228 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T22:13:26.998238+0100 | 2024301 | 1 | A Network Trojan was detected | 192.168.2.22 | 49161 | 104.16.166.228 | 80 | TCP |
2025-03-28T22:13:27.867162+0100 | 2024301 | 1 | A Network Trojan was detected | 192.168.2.22 | 49162 | 104.16.166.228 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T22:13:26.998238+0100 | 2024302 | 1 | A Network Trojan was detected | 192.168.2.22 | 49161 | 104.16.166.228 | 80 | TCP |
2025-03-28T22:13:27.867162+0100 | 2024302 | 1 | A Network Trojan was detected | 192.168.2.22 | 49162 | 104.16.166.228 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-28T22:13:26.998238+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.22 | 49161 | 104.16.166.228 | 80 | TCP |
2025-03-28T22:13:27.867162+0100 | 2803304 | 3 | Unknown Traffic | 192.168.2.22 | 49162 | 104.16.166.228 | 80 | TCP |
- • AV Detection
- • Exploits
- • Compliance
- • Networking
- • Spam, unwanted Advertisements and Ransom Demands
- • System Summary
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | Avira: |
Source: | ReversingLabs: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Exploits |
---|
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior |
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior | ||
Source: | TCP traffic: | Jump to behavior |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | HTTP traffic detected: |