Windows Analysis Report
ET6LdJaK54.dll

Overview

General Information

Sample name: ET6LdJaK54.dll
renamed because original name is a hash value
Original sample name: ef894d1c6dd120fad5a885bc737d6338.dll
Analysis ID: 1592053
MD5: ef894d1c6dd120fad5a885bc737d6338
SHA1: 5a0b060469b3d9a0ae8b46969e5a92cf7cbcb909
SHA256: 7f45d112de4bb9aec75ce9e2f22997d10d383fc82c357d1c1f97ea5a10132663
Tags: dllexeuser-mentality
Infos:

Detection

Wannacry
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Wannacry Ransomware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to download HTTP data from a sinkholed server
Yara detected Wannacry ransomware
AI detected suspicious sample
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Connects to several IPs in different countries
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ET6LdJaK54.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\tasksche.exe Avira: detection malicious, Label: TR/Ransom.Gen
Multi AV Scanner detection for dropped file
Source: C:\WINDOWS\qeriuwjhrf (copy) ReversingLabs: Detection: 97%
Source: C:\Windows\tasksche.exe ReversingLabs: Detection: 97%
Multi AV Scanner detection for submitted file
Source: ET6LdJaK54.dll ReversingLabs: Detection: 94%
Source: ET6LdJaK54.dll Virustotal: Detection: 93% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.6% probability
Machine Learning detection for dropped file
Source: C:\Windows\tasksche.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ET6LdJaK54.dll Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\tasksche.exe Code function: 7_2_004018B9 CryptReleaseContext, 7_2_004018B9

Exploits
barindex
Connects to many different private IPs (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.2.39:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.38:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.42:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.41:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.44:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.43:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.46:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.45:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.48:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.47:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.40:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.28:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.27:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.29:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.31:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.30:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.33:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.32:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.35:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.34:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.37:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.36:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.17:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.16:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.19:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.18:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.20:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.22:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.21:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.24:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.23:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.26:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.25:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.97:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.96:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.11:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.99:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.10:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.98:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.13:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.12:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.15:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.14:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.91:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.90:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.93:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.92:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.95:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.94:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.2:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.1:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.8:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.7:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.9:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.4:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.3:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.6:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.5:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.86:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.104:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.85:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.105:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.88:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.102:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.87:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.103:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.108:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.89:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.109:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.106:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.107:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.80:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.82:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.100:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.81:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.101:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.84:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.83:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.75:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.74:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.77:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.113:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.76:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.114:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.79:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.78:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.71:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.111:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.70:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.112:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.73:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.72:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.110:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.64:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.63:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.66:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.65:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.68:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.67:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.69:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.60:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.62:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.61:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.49:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.53:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.52:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.55:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.54:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.57:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.56:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.59:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.58:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.51:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.50:445 Jump to behavior
Connects to many different private IPs via SMB (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.2.39:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.38:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.42:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.41:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.44:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.43:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.46:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.45:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.48:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.47:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.40:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.28:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.27:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.29:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.31:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.30:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.33:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.32:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.35:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.34:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.37:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.36:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.17:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.16:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.19:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.18:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.20:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.22:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.21:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.24:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.23:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.26:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.25:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.97:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.96:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.11:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.99:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.10:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.98:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.13:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.12:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.15:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.14:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.91:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.90:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.93:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.92:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.95:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.94:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.2:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.1:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.8:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.7:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.9:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.4:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.3:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.6:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.5:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.86:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.104:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.85:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.105:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.88:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.102:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.87:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.103:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.108:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.89:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.109:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.106:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.107:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.80:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.82:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.100:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.81:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.101:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.84:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.83:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.75:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.74:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.77:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.113:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.76:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.114:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.79:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.78:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.71:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.111:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.70:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.112:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.73:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.72:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.110:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.64:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.63:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.66:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.65:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.68:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.67:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.69:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.60:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.62:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.61:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.49:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.53:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.52:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.55:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.54:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.57:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.56:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.59:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.58:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.51:445 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.50:445 Jump to behavior
Uses 32bit PE files
Source: ET6LdJaK54.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: ole32.pdbdCompareExchange64 source: ET6LdJaK54.dll, tasksche.exe.5.dr
Source: Binary string: ole32.pdb source: ET6LdJaK54.dll, tasksche.exe.5.dr

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.4:49731 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.4:49750 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.4:49731 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.4:49750 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.4:49730 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.4:49750 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.4:49750 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.4:49730 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.4:49730 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.4:49730 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.4:49731 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.4:49731 -> 104.16.167.228:80
Tries to download HTTP data from a sinkholed server
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 16:50:01 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90275cc70a8232d9-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 16:50:02 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90275ccb9d690f71-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 16:50:04 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90275cd89dd17c94-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 16:50:04 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90275cd89dd17c94-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 10
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.4:56261 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49750 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 104.16.167.228:80
Source: Network traffic Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.4:49750
Source: Network traffic Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.4:49730
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.26
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.26
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.26
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.1
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.26
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.1
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.1
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.1
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.1
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.1
Source: unknown TCP traffic detected without corresponding DNS query: 223.189.178.1
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.230
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.230
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.230
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.1
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.230
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.1
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.1
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.1
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.1
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.1
Source: unknown TCP traffic detected without corresponding DNS query: 107.136.9.1
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.215
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.215
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.215
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.1
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.1
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.215
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.1
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.1
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.1
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.1
Source: unknown TCP traffic detected without corresponding DNS query: 70.146.33.1
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.95
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.95
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.95
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.1
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.95
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.1
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.1
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.1
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.1
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.1
Source: unknown TCP traffic detected without corresponding DNS query: 164.183.20.1
Source: unknown TCP traffic detected without corresponding DNS query: 24.46.238.83
Source: unknown TCP traffic detected without corresponding DNS query: 24.46.238.83
Source: unknown TCP traffic detected without corresponding DNS query: 24.46.238.83
Source: unknown TCP traffic detected without corresponding DNS query: 24.46.238.1
Source: unknown TCP traffic detected without corresponding DNS query: 24.46.238.83
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: ET6LdJaK54.dll String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe, 00000005.00000002.1713856474.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2341581947.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000009.00000002.1729269917.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000009.00000002.1729269917.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe, 00000009.00000002.1729269917.0000000000A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/(3
Source: mssecsvc.exe, 00000006.00000002.2341581947.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/L
Source: mssecsvc.exe, 00000006.00000002.2341581947.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/YCN
Source: mssecsvc.exe, 00000006.00000002.2341581947.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/s
Source: mssecsvc.exe, 00000006.00000002.2341581947.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com9B
Source: mssecsvc.exe, 00000006.00000002.2341094885.000000000019D000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: mssecsvc.exe, 00000006.00000002.2341581947.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comiA
Source: mssecsvc.exe, 00000009.00000002.1729269917.0000000000B04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.kryptoslogic.com
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443

Spam, unwanted Advertisements and Ransom Demands
barindex
Detected Wannacry Ransomware
Source: C:\Windows\tasksche.exe Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY! 7_2_004014A6
Yara detected Wannacry ransomware
Source: Yara match File source: ET6LdJaK54.dll, type: SAMPLE
Source: Yara match File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.1e78104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.1e740a4.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.23cd96c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.23cd96c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.1e9b128.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.1e9b128.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.23aa948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.239b8c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.1e78104.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.23aa948.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.mssecsvc.exe.23a68e8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.1686586617.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2341224146.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1728446272.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.1694602947.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.1714967200.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1713090731.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1713422130.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1728599696.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2342094636.0000000001E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.1715294375.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2341341531.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.1686721857.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.1694846214.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2347378934.00000000023AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mssecsvc.exe PID: 7560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mssecsvc.exe PID: 7604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mssecsvc.exe PID: 7792, type: MEMORYSTR
Source: Yara match File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: ET6LdJaK54.dll, type: SAMPLE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: ET6LdJaK54.dll, type: SAMPLE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.239b8c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1e69084.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1e78104.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1e78104.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.1e78104.3.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1e740a4.2.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1e740a4.2.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.23cd96c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.23cd96c.6.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.23cd96c.6.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.23cd96c.6.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.23cd96c.6.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.23cd96c.6.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1e9b128.5.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1e9b128.5.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1e9b128.5.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1e9b128.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1e9b128.5.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1e9b128.5.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.23aa948.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.23aa948.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.23aa948.9.raw.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.239b8c8.7.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.239b8c8.7.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1e78104.3.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1e78104.3.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.23aa948.9.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.23aa948.9.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.23a68e8.8.unpack, type: UNPACKEDPE Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.23a68e8.8.unpack, type: UNPACKEDPE Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.1727695977.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.1710158629.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.1728045556.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000000.1703594047.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.1713422130.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.1728599696.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2342094636.0000000001E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.1715294375.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2341341531.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.1686721857.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1694846214.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2347378934.00000000023AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\WINDOWS\mssecsvc.exe Jump to behavior
Source: C:\Windows\mssecsvc.exe File created: C:\WINDOWS\tasksche.exe Jump to behavior
Source: C:\Windows\mssecsvc.exe File created: C:\WINDOWS\tasksche.exe Jump to behavior
Detected potential crypto function
Source: C:\Windows\tasksche.exe Code function: 7_2_00406C40 7_2_00406C40
Source: C:\Windows\tasksche.exe Code function: 7_2_00402A76 7_2_00402A76
Source: C:\Windows\tasksche.exe Code function: 7_2_00402E7E 7_2_00402E7E
Source: C:\Windows\tasksche.exe Code function: 7_2_0040350F 7_2_0040350F
Source: C:\Windows\tasksche.exe Code function: 7_2_00404C19 7_2_00404C19
Source: C:\Windows\tasksche.exe Code function: 7_2_0040541F 7_2_0040541F
Source: C:\Windows\tasksche.exe Code function: 7_2_00403797 7_2_00403797
Source: C:\Windows\tasksche.exe Code function: 7_2_004043B7 7_2_004043B7
Source: C:\Windows\tasksche.exe Code function: 7_2_004031BC 7_2_004031BC
PE file contains executable resources (Code or Archives)
Source: tasksche.exe.5.dr Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Uses 32bit PE files
Source: ET6LdJaK54.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Yara signature match
Source: ET6LdJaK54.dll, type: SAMPLE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: ET6LdJaK54.dll, type: SAMPLE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.239b8c8.7.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1e69084.4.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1e78104.3.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1e78104.3.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.1e78104.3.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1e740a4.2.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1e740a4.2.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.23cd96c.6.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.23cd96c.6.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.23cd96c.6.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.23cd96c.6.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.23cd96c.6.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.23cd96c.6.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1e9b128.5.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1e9b128.5.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1e9b128.5.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1e9b128.5.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1e9b128.5.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1e9b128.5.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.23aa948.9.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.23aa948.9.raw.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.23aa948.9.raw.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.239b8c8.7.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.239b8c8.7.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.1e69084.4.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1e78104.3.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1e78104.3.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.23aa948.9.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.23aa948.9.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.23a68e8.8.unpack, type: UNPACKEDPE Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.23a68e8.8.unpack, type: UNPACKEDPE Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.1727695977.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.1710158629.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.1728045556.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000000.1703594047.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.1713422130.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.1728599696.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2342094636.0000000001E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.1715294375.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2341341531.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.1686721857.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1694846214.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2347378934.00000000023AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: tasksche.exe, 00000007.00000002.1710158629.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000A.00000000.1727695977.000000000040E000.00000008.00000001.01000000.00000007.sdmp, ET6LdJaK54.dll, tasksche.exe.5.dr Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: classification engine Classification label: mal100.rans.expl.evad.winDLL@20/2@1/100
Source: C:\Windows\mssecsvc.exe Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 5_2_00407C40
Source: C:\Windows\mssecsvc.exe Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 6_2_00407C40
Source: C:\Windows\tasksche.exe Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 7_2_00401CE8
Source: C:\Windows\mssecsvc.exe Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle, 5_2_00407CE0
Source: C:\Windows\mssecsvc.exe Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 5_2_00407C40
Source: C:\Windows\mssecsvc.exe Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA, 5_2_00408090
Source: C:\Windows\mssecsvc.exe Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA, 6_2_00408090
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
Source: ET6LdJaK54.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ET6LdJaK54.dll,PlayGame
Source: ET6LdJaK54.dll ReversingLabs: Detection: 94%
Source: ET6LdJaK54.dll Virustotal: Detection: 93%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ET6LdJaK54.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ET6LdJaK54.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ET6LdJaK54.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ET6LdJaK54.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\mssecsvc.exe Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ET6LdJaK54.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ET6LdJaK54.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ET6LdJaK54.dll,PlayGame Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ET6LdJaK54.dll",PlayGame Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ET6LdJaK54.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe Jump to behavior
Source: C:\Windows\mssecsvc.exe Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe Jump to behavior
Source: C:\Windows\mssecsvc.exe Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\mssecsvc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: ET6LdJaK54.dll Static file information: File size 5267459 > 1048576
Source: ET6LdJaK54.dll Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
Source: Binary string: ole32.pdbdCompareExchange64 source: ET6LdJaK54.dll, tasksche.exe.5.dr
Source: Binary string: ole32.pdb source: ET6LdJaK54.dll, tasksche.exe.5.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\tasksche.exe Code function: 7_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_00401A45
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\tasksche.exe Code function: 7_2_00407710 push eax; ret 7_2_0040773E
Source: C:\Windows\tasksche.exe Code function: 7_2_004076C8 push eax; ret 7_2_004076E6

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\rundll32.exe Executable created and started: C:\WINDOWS\mssecsvc.exe Jump to behavior
Source: C:\Windows\mssecsvc.exe Executable created and started: C:\WINDOWS\tasksche.exe Jump to behavior
Drops PE files
Source: C:\Windows\mssecsvc.exe File created: C:\WINDOWS\qeriuwjhrf (copy) Jump to dropped file
Source: C:\Windows\mssecsvc.exe File created: C:\Windows\tasksche.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\mssecsvc.exe File created: C:\WINDOWS\qeriuwjhrf (copy) Jump to dropped file
Source: C:\Windows\mssecsvc.exe File created: C:\Windows\tasksche.exe Jump to dropped file
Source: C:\Windows\mssecsvc.exe Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle, 5_2_00407C40
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\mssecsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\mssecsvc.exe Thread delayed: delay time: 86400000 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\mssecsvc.exe TID: 7648 Thread sleep count: 90 > 30 Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7648 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7652 Thread sleep count: 126 > 30 Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7652 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7648 Thread sleep time: -86400000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\mssecsvc.exe Thread delayed: delay time: 86400000 Jump to behavior
Source: mssecsvc.exe, 00000005.00000002.1713856474.0000000000D45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: mssecsvc.exe, 00000006.00000003.1701575704.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2341581947.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW\
Source: mssecsvc.exe, 00000005.00000002.1713856474.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000003.1701575704.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2341581947.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2341581947.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000009.00000002.1729269917.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000009.00000002.1729269917.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to dynamically determine API calls
Source: C:\Windows\tasksche.exe Code function: 7_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 7_2_00401A45
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\tasksche.exe Code function: 7_2_004029CC free,GetProcessHeap,HeapFree, 7_2_004029CC
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ET6LdJaK54.dll",#1 Jump to behavior
Source: C:\Windows\mssecsvc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592053 Sample: ET6LdJaK54.dll Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 43 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 2->43 53 Tries to download HTTP data from a sinkholed server 2->53 55 Suricata IDS alerts for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 6 other signatures 2->59 10 loaddll32.exe 1 2->10         started        12 mssecsvc.exe 2->12         started        signatures3 process4 dnsIp5 16 cmd.exe 1 10->16         started        18 rundll32.exe 10->18         started        21 conhost.exe 10->21         started        23 rundll32.exe 1 10->23         started        45 192.168.2.102 unknown unknown 12->45 47 192.168.2.103 unknown unknown 12->47 49 98 other IPs or domains 12->49 71 Connects to many different private IPs via SMB (likely to spread or exploit) 12->71 73 Connects to many different private IPs (likely to spread or exploit) 12->73 signatures6 process7 signatures8 25 rundll32.exe 16->25         started        51 Drops executables to the windows directory (C:\Windows) and starts them 18->51 27 mssecsvc.exe 7 18->27         started        process9 file10 31 mssecsvc.exe 7 25->31         started        39 C:\WINDOWS\qeriuwjhrf (copy), PE32 27->39 dropped 69 Drops executables to the windows directory (C:\Windows) and starts them 27->69 34 tasksche.exe 27->34         started        signatures11 process12 file13 41 C:\Windows\tasksche.exe, PE32 31->41 dropped 36 tasksche.exe 31->36         started        process14 signatures15 61 Detected Wannacry Ransomware 36->61 63 Antivirus detection for dropped file 36->63 65 Multi AV Scanner detection for dropped file 36->65 67 Machine Learning detection for dropped file 36->67
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
150.197.225.3
 unknown Korea Republic of
9489 KARINET-ASKoreaAerospaceResearchInstituteKR false
150.197.225.2
 unknown Korea Republic of
9489 KARINET-ASKoreaAerospaceResearchInstituteKR false
68.29.208.213
 unknown United States
10507 SPCSUS false
87.197.225.184
 unknown Slovakia (SLOVAK Republic)
6855 SK-TELEKOMSK false
150.197.225.1
 unknown Korea Republic of
9489 KARINET-ASKoreaAerospaceResearchInstituteKR false
70.146.33.215
 unknown United States
6389 BELLSOUTH-NET-BLKUS false
106.230.138.178
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
57.181.230.1
 unknown Belgium
2686 ATGS-MMD-ASUS false
223.189.178.2
 unknown India
45609 BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService false
223.189.178.1
 unknown India
45609 BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService false
163.210.141.2
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
163.210.141.1
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
164.183.20.1
 unknown United States
37717 EL-KhawarizmiTN false
164.183.20.2
 unknown United States
37717 EL-KhawarizmiTN false
138.98.68.169
 unknown United States
776 FR-INRIA-SOPHIAINRIASophia-AntipolisEU false
68.209.105.69
 unknown United States
7018 ATT-INTERNET4US false
24.46.238.1
 unknown United States
6128 CABLE-NET-1US false
217.156.218.50
 unknown United Kingdom
3549 LVLT-3549US false
57.181.230.105
 unknown Belgium
2686 ATGS-MMD-ASUS false
24.46.238.2
 unknown United States
6128 CABLE-NET-1US false
121.43.141.1
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
150.197.225.252
 unknown Korea Republic of
9489 KARINET-ASKoreaAerospaceResearchInstituteKR false
184.51.220.112
 unknown United States
16625 AKAMAI-ASUS false
163.210.141.184
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
24.145.216.1
 unknown United States
10796 TWC-10796-MIDWESTUS false
184.51.220.1
 unknown United States
16625 AKAMAI-ASUS false
92.159.65.1
 unknown France
3215 FranceTelecom-OrangeFR false
87.197.225.1
 unknown Slovakia (SLOVAK Republic)
6855 SK-TELEKOMSK false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103

Contacted Domains

Name IP Active
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 104.16.167.228 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ false
    		high