Windows Analysis Report
f5mfkHLLVe.dll

Overview

General Information

Sample name: f5mfkHLLVe.dll
renamed because original name is a hash value
Original sample name: f4467cf9b7f5c536f0766ac2851b53b7.dll
Analysis ID: 1592051
MD5: f4467cf9b7f5c536f0766ac2851b53b7
SHA1: 5c64d92015518d307b5e5856bc4e4ced71a08c2b
SHA256: 89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
Tags: dllexeuser-mentality
Infos:

Detection

Wannacry
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Wannacry ransomware
AI detected suspicious sample
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Connects to several IPs in different countries
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: f5mfkHLLVe.dll Avira: detected
Antivirus detection for URL or domain
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b827f Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12 Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c58 Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b82 Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/% Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\WINDOWS\qeriuwjhrf (copy) ReversingLabs: Detection: 96%
Source: C:\Windows\tasksche.exe ReversingLabs: Detection: 96%
Multi AV Scanner detection for submitted file
Source: f5mfkHLLVe.dll Virustotal: Detection: 94% Perma Link
Source: f5mfkHLLVe.dll ReversingLabs: Detection: 92%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for dropped file
Source: C:\Windows\tasksche.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: f5mfkHLLVe.dll Joe Sandbox ML: detected

Exploits
barindex
Connects to many different private IPs (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.2.39:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.38:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.42:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.41:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.44:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.43:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.46:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.45:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.48:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.47:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.40:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.28:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.27:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.29:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.31:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.30:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.33:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.32:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.35:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.34:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.37:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.36:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.17:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.16:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.19:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.18:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.20:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.22:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.21:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.24:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.23:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.26:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.25:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.97:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.96:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.11:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.99:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.10:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.98:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.13:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.12:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.15:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.14:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.91:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.90:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.93:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.92:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.95:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.94:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.2:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.1:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.8:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.7:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.9:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.4:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.3:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.6:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.5:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.86:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.104:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.85:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.105:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.88:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.102:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.87:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.103:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.108:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.89:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.109:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.106:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.107:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.80:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.82:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.100:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.81:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.101:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.84:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.83:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.75:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.74:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.77:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.113:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.76:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.114:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.79:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.78:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.71:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.111:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.70:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.112:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.73:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.72:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.110:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.64:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.63:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.66:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.65:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.68:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.67:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.69:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.60:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.62:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.61:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.49:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.53:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.52:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.55:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.54:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.57:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.56:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.59:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.58:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.51:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.50:445 Jump to behavior
Connects to many different private IPs via SMB (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.2.39:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.38:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.42:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.41:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.44:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.43:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.46:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.45:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.48:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.47:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.40:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.28:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.27:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.29:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.31:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.30:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.33:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.32:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.35:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.34:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.37:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.36:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.17:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.16:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.19:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.18:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.20:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.22:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.21:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.24:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.23:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.26:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.25:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.97:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.96:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.11:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.99:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.10:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.98:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.13:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.12:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.15:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.14:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.91:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.90:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.93:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.92:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.95:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.94:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.2:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.1:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.8:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.7:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.9:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.4:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.3:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.6:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.5:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.86:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.104:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.85:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.105:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.88:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.102:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.87:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.103:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.108:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.89:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.109:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.106:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.107:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.80:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.82:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.100:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.81:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.101:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.84:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.83:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.75:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.74:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.77:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.113:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.76:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.114:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.79:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.78:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.71:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.111:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.70:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.112:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.73:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.72:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.110:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.64:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.63:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.66:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.65:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.68:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.67:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.69:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.60:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.62:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.61:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.49:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.53:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.52:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.55:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.54:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.57:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.56:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.59:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.58:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.51:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.50:445 Jump to behavior
Uses 32bit PE files
Source: f5mfkHLLVe.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49910 version: TLS 1.0
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50263 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50640 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50642 version: TLS 1.2

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.6:53999 -> 1.1.1.1:53
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 11
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /?subid1=20250116-0347-1541-9f57-da56839b827f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736959635.6911048
Source: global traffic HTTP traffic detected: GET /?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /?subid1=20250116-0347-17ae-b188-3b0abf488c58 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=ebac6318-2a75-4752-ba46-19550119d49c
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49712 -> 103.224.212.215:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49710 -> 103.224.212.215:80
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49910 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.212
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.212
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.212
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.212
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown TCP traffic detected without corresponding DNS query: 16.50.237.1
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.7
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.7
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.7
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.7
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown TCP traffic detected without corresponding DNS query: 19.64.25.1
Source: unknown TCP traffic detected without corresponding DNS query: 23.60.133.163
Source: unknown TCP traffic detected without corresponding DNS query: 23.60.133.163
Source: unknown TCP traffic detected without corresponding DNS query: 23.60.133.163
Source: unknown TCP traffic detected without corresponding DNS query: 23.60.133.1
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown TCP traffic detected without corresponding DNS query: 23.60.133.163
Source: unknown TCP traffic detected without corresponding DNS query: 23.60.133.1
Source: unknown TCP traffic detected without corresponding DNS query: 23.60.133.1
Source: unknown TCP traffic detected without corresponding DNS query: 23.60.133.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /?subid1=20250116-0347-1541-9f57-da56839b827f HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736959635.6911048
Source: global traffic HTTP traffic detected: GET /?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /?subid1=20250116-0347-17ae-b188-3b0abf488c58 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=ebac6318-2a75-4752-ba46-19550119d49c
Source: global traffic DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/33ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrw
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2198166396.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b82
Source: mssecsvr.exe, 00000008.00000003.2197367859.0000000000B9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c
Source: mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/e
Source: f5mfkHLLVe.dll String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2198166396.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2205984720.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/P
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/t
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com5
Source: mssecsvr.exe, 00000008.00000002.2832646077.000000000019D000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50263
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50640
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50642
Source: unknown Network traffic detected: HTTP traffic on port 50263 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 50642 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 50640 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50263 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50640 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:50642 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Wannacry ransomware
Source: Yara match File source: f5mfkHLLVe.dll, type: SAMPLE
Source: Yara match File source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.2185223099.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2832841318.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2160946796.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.2189366681.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2197719632.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2205428809.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mssecsvr.exe PID: 5772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mssecsvr.exe PID: 3196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mssecsvr.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: f5mfkHLLVe.dll, type: SAMPLE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: f5mfkHLLVe.dll, type: SAMPLE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d4c084.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22748c8.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d7e128.5.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d7e128.5.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22a696c.7.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22a696c.7.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\WINDOWS\mssecsvr.exe Jump to behavior
Source: C:\Windows\mssecsvr.exe File created: C:\WINDOWS\tasksche.exe Jump to behavior
Source: C:\Windows\mssecsvr.exe File created: C:\WINDOWS\tasksche.exe Jump to behavior
PE file does not import any functions
Source: tasksche.exe.6.dr Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: f5mfkHLLVe.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Yara signature match
Source: f5mfkHLLVe.dll, type: SAMPLE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: f5mfkHLLVe.dll, type: SAMPLE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d4c084.3.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22748c8.9.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d7e128.5.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d7e128.5.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22a696c.7.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22a696c.7.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d7e128.5.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22a696c.7.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.1d5b104.4.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.2283948.8.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d4c084.3.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.22748c8.9.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d5b104.4.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.227f8e8.6.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.1d570a4.2.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvr.exe.2283948.8.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.2185353936.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2197846856.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.2205701393.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2834191823.0000000002283000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2833962615.0000000001D5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.2189507796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2832960102.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.2161097186.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: tasksche.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tasksche.exe.6.dr Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.6.dr Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.6.dr Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413
Source: f5mfkHLLVe.dll, tasksche.exe.6.dr Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: classification engine Classification label: mal100.rans.expl.evad.winDLL@18/2@2/100
Source: C:\Windows\mssecsvr.exe Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 6_2_00407C40
Source: C:\Windows\mssecsvr.exe Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 8_2_00407C40
Source: C:\Windows\mssecsvr.exe Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle, 6_2_00407CE0
Source: C:\Windows\mssecsvr.exe Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 6_2_00407C40
Source: C:\Windows\mssecsvr.exe Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA, 6_2_00408090
Source: C:\Windows\mssecsvr.exe Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA, 8_2_00408090
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3768:120:WilError_03
Source: f5mfkHLLVe.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f5mfkHLLVe.dll,PlayGame
Source: f5mfkHLLVe.dll Virustotal: Detection: 94%
Source: f5mfkHLLVe.dll ReversingLabs: Detection: 92%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f5mfkHLLVe.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: unknown Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\f5mfkHLLVe.dll,PlayGame Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",PlayGame Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\mssecsvr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: f5mfkHLLVe.dll Static file information: File size 5267459 > 1048576
Source: f5mfkHLLVe.dll Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
Source: tasksche.exe.6.dr Static PE information: section name: .text entropy: 7.64063717569669

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\rundll32.exe Executable created and started: C:\WINDOWS\mssecsvr.exe Jump to behavior
Drops PE files
Source: C:\Windows\mssecsvr.exe File created: C:\WINDOWS\qeriuwjhrf (copy) Jump to dropped file
Source: C:\Windows\mssecsvr.exe File created: C:\Windows\tasksche.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\mssecsvr.exe File created: C:\WINDOWS\qeriuwjhrf (copy) Jump to dropped file
Source: C:\Windows\mssecsvr.exe File created: C:\Windows\tasksche.exe Jump to dropped file
Source: C:\Windows\mssecsvr.exe Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 6_2_00407C40
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\mssecsvr.exe Thread delayed: delay time: 86400000 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\mssecsvr.exe Dropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy) Jump to dropped file
Source: C:\Windows\mssecsvr.exe Dropped PE file which has not been started: C:\Windows\tasksche.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\mssecsvr.exe TID: 3360 Thread sleep count: 93 > 30 Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3360 Thread sleep time: -186000s >= -30000s Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 4620 Thread sleep count: 125 > 30 Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 4620 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Windows\mssecsvr.exe TID: 3360 Thread sleep time: -86400000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\mssecsvr.exe Thread delayed: delay time: 86400000 Jump to behavior
Source: mssecsvr.exe, 00000006.00000003.2176271509.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.2198166396.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.2197367859.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2833159917.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.2205984720.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: mssecsvr.exe, 00000006.00000002.2198166396.0000000000A46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp7
Source: mssecsvr.exe, 0000000A.00000002.2205984720.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f5mfkHLLVe.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592051 Sample: f5mfkHLLVe.dll Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 36 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->36 38 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->38 40 77026.bodis.com 2->40 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 7 other signatures 2->54 9 loaddll32.exe 1 2->9         started        11 mssecsvr.exe 12 2->11         started        signatures3 process4 dnsIp5 15 rundll32.exe 9->15         started        18 cmd.exe 1 9->18         started        20 conhost.exe 9->20         started        22 rundll32.exe 1 9->22         started        42 192.168.2.102 unknown unknown 11->42 44 192.168.2.103 unknown unknown 11->44 46 98 other IPs or domains 11->46 56 Connects to many different private IPs via SMB (likely to spread or exploit) 11->56 58 Connects to many different private IPs (likely to spread or exploit) 11->58 signatures6 process7 signatures8 60 Drops executables to the windows directory (C:\Windows) and starts them 15->60 24 mssecsvr.exe 13 15->24         started        27 rundll32.exe 18->27         started        process9 file10 32 C:\WINDOWS\qeriuwjhrf (copy), PE32 24->32 dropped 29 mssecsvr.exe 13 27->29         started        process11 file12 34 C:\Windows\tasksche.exe, PE32 29->34 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
152.164.46.1
 unknown United States
701 UUNETUS false
182.30.213.111
 unknown Indonesia
4795 INDOSATM2-IDINDOSATM2ASNID false
219.105.215.1
 unknown Japan 4704 SANNETRakutenMobileIncJP false
154.92.211.86
 unknown Seychelles
22769 DDOSING-BGP-NETWORKUS false
143.125.156.228
 unknown Japan 2497 IIJInternetInitiativeJapanIncJP false
219.105.215.2
 unknown Japan 4704 SANNETRakutenMobileIncJP false
16.50.237.212
 unknown United States
unknown unknown false
20.66.242.32
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
79.11.33.150
 unknown Italy
3269 ASN-IBSNAZIT false
206.65.90.1
 unknown United States
701 UUNETUS false
145.229.6.225
 unknown United Kingdom
33873 ARVATO-SYSTEMS-ASDE false
35.145.151.140
 unknown United States
394141 ROCKET-FIBERUS false
143.125.156.1
 unknown Japan 2497 IIJInternetInitiativeJapanIncJP false
195.128.239.243
 unknown United Kingdom
24916 ORBITAL-ASNCountyHouseStationApproachGB false
191.230.113.27
 unknown Brazil
26615 TIMSABR false
146.245.78.167
 unknown United States
31822 CITY-UNIVERSITY-OF-NEW-YORKUS false
206.65.90.206
 unknown United States
701 UUNETUS false
95.128.26.42
 unknown Denmark
198455 I2-HOSTINGDK false
219.105.215.211
 unknown Japan 4704 SANNETRakutenMobileIncJP false
202.206.173.165
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
105.213.27.1
 unknown South Africa
16637 MTNNS-ASZA false
76.104.214.135
 unknown United States
7922 COMCAST-7922US false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227

Contacted Domains

Name IP Active
77026.bodis.com 199.59.243.228 true
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 103.224.212.215 true
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ae-b188-3b0abf488c58 false
  • Avira URL Cloud: malware
 unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/ false
    		high
    http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-17ab-9aa2-62d8b5f7fc12 false
    • Avira URL Cloud: malware
    		 unknown
    http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0347-1541-9f57-da56839b827f false
    • Avira URL Cloud: malware
    		 unknown