Loading ...

Play interactive tourEdit tour

Analysis Report ETCq4qdXKF

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:210242
Start date:23.02.2020
Start time:00:28:11
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ETCq4qdXKF (renamed file extension from none to dll)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.expl.evad.winDLL@10/2@0/100
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 99.4% (good quality ratio 90.1%)
  • Quality average: 76.6%
  • Quality standard deviation: 32.6%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42, 40.90.22.189, 40.90.22.187, 40.90.22.183, 51.105.249.228, 67.27.158.254, 67.27.235.126, 67.27.159.126, 67.26.137.254, 8.248.125.254
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, lgin.msa.trafficmanager.net, am3p.wns.notify.windows.com.akadns.net, login.live.com, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wns.notify.windows.com.akadns.net, login.msa.msidentity.com
  • Execution Graph export aborted for target tasksche.exe, PID 5056 because there are no executed function
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
Errors:
  • Sigma syntax error: One detector has no map or list, Rule: Discovery of a System Time
  • Sigma syntax error: One detector has no map or list, Rule: File or Folder Permissions Modifications

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Wannacry
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample is a service DLL but no service has been registered
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsService Execution2Modify Existing Service1Process Injection1Masquerading12Input Capture1Network Share Discovery1Application Deployment SoftwareInput Capture1Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaRundll321New Service4New Service4Software Packing1Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesSecurity Software Discovery111Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessRundll321Account ManipulationSystem Information Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\mssecsvc.exeAvira: detection malicious, Label: TR/Ransom.UL
Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/Ransom.UL
Antivirus detection for sampleShow sources
Source: ETCq4qdXKF.dllAvira: detection malicious, Label: TR/AD.WannaCry.xapjz
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Windows\mssecsvc.exeVirustotal: Detection: 92%Perma Link
Source: C:\Windows\mssecsvc.exeMetadefender: Detection: 82%Perma Link
Source: C:\Windows\mssecsvc.exeReversingLabs TitaniumCloud: Detection: 93%
Source: C:\Windows\tasksche.exeVirustotal: Detection: 94%Perma Link
Source: C:\Windows\tasksche.exeMetadefender: Detection: 85%Perma Link
Source: C:\Windows\tasksche.exeReversingLabs TitaniumCloud: Detection: 93%
Multi AV Scanner detection for submitted fileShow sources
Source: ETCq4qdXKF.dllVirustotal: Detection: 91%Perma Link
Source: ETCq4qdXKF.dllMetadefender: Detection: 81%Perma Link
Source: ETCq4qdXKF.dllReversingLabs TitaniumCloud: Detection: 89%
Machine Learning detection for dropped fileShow sources
Source: C:\Windows\mssecsvc.exeJoe Sandbox ML: detected
Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: ETCq4qdXKF.dllJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 5.2.tasksche.exe.400000.0.unpackAvira: Label: TR/Ransom.UL
Source: 3.2.mssecsvc.exe.400000.0.unpackAvira: Label: TR/Ransom.UL
Source: 4.2.mssecsvc.exe.400000.0.unpackAvira: Label: TR/Ransom.UL
Source: 4.0.mssecsvc.exe.400000.0.unpackAvira: Label: TR/Ransom.UL
Source: 5.0.tasksche.exe.400000.0.unpackAvira: Label: TR/Ransom.UL
Source: 3.0.mssecsvc.exe.400000.0.unpackAvira: Label: TR/Ransom.UL

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\tasksche.exeCode function: 5_2_004018B9 CryptReleaseContext,5_2_004018B9

Exploits:

barindex
Connects to many different private IPs (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.2.148:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.149:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.146:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.147:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.140:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.141:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.144:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.145:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.142:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.143:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.159:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.157:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.158:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.151:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.152:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.150:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.155:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.156:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.153:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.154:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.126:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.247:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.127:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.248:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.124:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.245:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.125:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.246:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.128:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.249:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.129:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.240:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.122:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.243:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.123:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.244:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.120:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.241:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.121:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.242:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.137:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.138:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.135:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.136:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.139:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.250:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.130:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.251:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.133:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.254:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.134:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.131:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.252:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.132:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.253:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.225:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.226:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.223:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.224:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.229:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.227:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.228:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.221:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.222:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.220:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.115:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.236:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.116:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.237:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.234:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.235:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.119:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.117:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.238:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.118:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.239:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.232:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.233:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.230:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.231:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.203:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.204:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.201:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.202:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.207:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.208:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.205:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.206:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.200:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.209:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.214:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.215:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.212:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.213:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.218:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.219:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.216:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.217:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.210:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.211:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.180:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.181:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.184:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.185:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.182:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.183:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.188:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.189:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.186:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.187:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.191:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.192:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.190:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.195:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.196:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.193:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.194:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.199:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.197:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.198:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.168:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.169:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.162:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.163:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.160:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.161:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.166:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.167:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.164:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.165:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.170:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.179:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.173:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.174:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.171:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.172:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.177:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.178:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.175:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.176:445Jump to behavior
Connects to many different private IPs via SMB (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.2.148:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.149:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.146:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.147:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.140:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.141:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.144:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.145:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.142:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.143:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.159:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.157:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.158:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.151:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.152:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.150:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.155:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.156:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.153:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.154:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.126:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.247:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.127:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.248:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.124:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.245:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.125:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.246:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.128:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.249:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.129:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.240:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.122:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.243:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.123:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.244:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.120:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.241:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.121:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.242:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.137:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.138:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.135:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.136:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.139:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.250:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.130:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.251:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.133:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.254:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.134:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.131:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.252:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.132:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.253:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.225:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.226:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.223:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.224:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.229:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.227:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.228:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.221:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.222:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.220:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.115:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.236:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.116:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.237:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.234:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.235:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.119:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.117:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.238:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.118:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.239:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.232:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.233:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.230:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.231:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.203:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.204:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.201:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.202:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.207:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.208:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.205:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.206:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.200:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.209:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.214:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.215:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.212:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.213:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.218:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.219:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.216:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.217:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.210:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.211:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.180:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.181:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.184:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.185:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.182:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.183:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.188:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.189:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.186:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.187:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.191:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.192:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.190:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.195:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.196:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.193:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.194:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.199:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.197:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.198:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.168:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.169:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.162:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.163:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.160:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.161:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.166:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.167:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.164:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.165:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.170:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.179:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.173:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.174:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.171:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.172:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.177:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.178:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.175:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
Source: global trafficTCP traffic: 192.168.2.176:445Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025992 ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags) 192.168.2.5:50357 -> 45.89.103.2:445
Source: TrafficSnort IDS: 2025649 ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style) 192.168.2.5:50357 -> 45.89.103.2:445
Source: TrafficSnort IDS: 2025992 ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags) 192.168.2.5:51052 -> 45.89.103.8:445
Source: TrafficSnort IDS: 2025649 ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style) 192.168.2.5:51052 -> 45.89.103.8:445
Source: TrafficSnort IDS: 2025992 ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags) 192.168.2.5:52323 -> 45.89.103.15:445
Source: TrafficSnort IDS: 2025649 ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style) 192.168.2.5:52323 -> 45.89.103.15:445
Connects to many IPs within the same subnet mask (likely port scanning)Show sources
Source: global trafficTCP traffic: Count: 20 IPs: 45.89.103.13,45.89.103.25,45.89.103.14,45.89.103.15,45.89.103.16,45.89.103.10,45.89.103.11,45.89.103.12,45.89.103.17,45.89.103.18,45.89.103.1,45.89.103.19,45.89.103.3,45.89.103.2,45.89.103.5,45.89.103.4,45.89.103.7,45.89.103.6,45.89.103.9,45.89.103.8
Connects to several IPs in different countriesShow sources
Source: unknownNetwork traffic detected: IP country count 19
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 134.195.150.103
Source: unknownTCP traffic detected without corresponding DNS query: 64.168.56.47
Source: unknownTCP traffic detected without corresponding DNS query: 53.160.116.63
Source: unknownTCP traffic detected without corresponding DNS query: 26.137.126.223
Source: unknownTCP traffic detected without corresponding DNS query: 20.122.92.66
Source: unknownTCP traffic detected without corresponding DNS query: 57.83.157.62
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 16.15.35.128
Source: unknownTCP traffic detected without corresponding DNS query: 35.118.232.103
Source: unknownTCP traffic detected without corresponding DNS query: 160.219.56.156
Source: unknownTCP traffic detected without corresponding DNS query: 180.44.71.238
Source: unknownTCP traffic detected without corresponding DNS query: 119.168.213.22
Source: unknownTCP traffic detected without corresponding DNS query: 94.65.67.40
Source: unknownTCP traffic detected without corresponding DNS query: 47.237.25.227
Source: unknownTCP traffic detected without corresponding DNS query: 174.39.93.13
Source: unknownTCP traffic detected without corresponding DNS query: 190.27.95.220
Source: unknownTCP traffic detected without corresponding DNS query: 28.239.233.211
Source: unknownTCP traffic detected without corresponding DNS query: 61.191.44.116
Source: unknownTCP traffic detected without corresponding DNS query: 7.165.80.161
Source: unknownTCP traffic detected without corresponding DNS query: 100.231.28.111
Source: unknownTCP traffic detected without corresponding DNS query: 102.144.195.55
Source: unknownTCP traffic detected without corresponding DNS query: 208.58.122.73
Source: unknownTCP traffic detected without corresponding DNS query: 57.46.34.83
Source: unknownTCP traffic detected without corresponding DNS query: 162.158.147.104
Source: unknownTCP traffic detected without corresponding DNS query: 208.58.122.73
Source: unknownTCP traffic detected without corresponding DNS query: 32.113.62.103
Source: unknownTCP traffic detected without corresponding DNS query: 17.57.116.28
Source: unknownTCP traffic detected without corresponding DNS query: 215.46.181.137
Source: unknownTCP traffic detected without corresponding DNS query: 3.111.191.9
Source: unknownTCP traffic detected without corresponding DNS query: 84.157.242.17
Source: unknownTCP traffic detected without corresponding DNS query: 177.39.66.237
Source: unknownTCP traffic detected without corresponding DNS query: 76.191.168.214
Source: unknownTCP traffic detected without corresponding DNS query: 198.216.211.220
Source: unknownTCP traffic detected without corresponding DNS query: 197.93.118.247
Source: unknownTCP traffic detected without corresponding DNS query: 105.225.126.42
Source: unknownTCP traffic detected without corresponding DNS query: 196.3.8.247
Source: unknownTCP traffic detected without corresponding DNS query: 193.182.253.251
Source: unknownTCP traffic detected without corresponding DNS query: 73.151.128.118
Source: unknownTCP traffic detected without corresponding DNS query: 38.174.147.55
Source: unknownTCP traffic detected without corresponding DNS query: 4.146.213.104
Source: unknownTCP traffic detected without corresponding DNS query: 79.164.49.97
Source: unknownTCP traffic detected without corresponding DNS query: 197.179.154.121
Source: unknownTCP traffic detected without corresponding DNS query: 21.134.241.229
Source: unknownTCP traffic detected without corresponding DNS query: 33.108.56.8
Source: unknownTCP traffic detected without corresponding DNS query: 184.172.52.29
Source: unknownTCP traffic detected without corresponding DNS query: 97.18.63.195
Source: unknownTCP traffic detected without corresponding DNS query: 133.194.249.165
Source: unknownTCP traffic detected without corresponding DNS query: 201.27.191.254
Source: unknownTCP traffic detected without corresponding DNS query: 43.164.219.119
Source: unknownTCP traffic detected without corresponding DNS query: 112.85.133.252
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: mssecsvc.exe, 00000003.00000002.2060171208.0000000000C20000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Detected Wannacry RansomwareShow sources
Source: C:\Windows\tasksche.exeCode function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!5_2_004014A6
Yara detected Wannacry ransomwareShow sources
Source: Yara matchFile source: ETCq4qdXKF.dll, type: SAMPLE
Source: Yara matchFile source: 00000003.00000000.2049990995.000000000040B000.00000008.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000000.2052859089.000000000040B000.00000008.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2464406311.000000000042E000.00000004.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2058883324.000000000040B000.00000008.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2468107416.0000000002222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2466976855.0000000001D0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 3732, type: MEMORY
Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 3656, type: MEMORY
Source: Yara matchFile source: C:\Windows\mssecsvc.exe, type: DROPPED
Source: Yara matchFile source: 3.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: ETCq4qdXKF.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: ETCq4qdXKF.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.2055669822.000000000040E000.00000008.00020000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.2057425597.000000000040E000.00000008.00020000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.2464456318.0000000000710000.00000002.00020000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000003.00000000.2050081710.0000000000710000.00000002.00020000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000003.00000002.2058988316.0000000000710000.00000002.00020000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000000.2052946185.0000000000710000.00000002.00020000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.2468107416.0000000002222000.00000004.00000001.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.2466976855.0000000001D0D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 3.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 3.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 3.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 3.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 3.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 3.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvc.exeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Windows\tasksche.exeCode function: 5_2_00406C405_2_00406C40
Source: C:\Windows\tasksche.exeCode function: 5_2_00402A765_2_00402A76
Source: C:\Windows\tasksche.exeCode function: 5_2_00402E7E5_2_00402E7E
Source: C:\Windows\tasksche.exeCode function: 5_2_0040350F5_2_0040350F
Source: C:\Windows\tasksche.exeCode function: 5_2_00404C195_2_00404C19
Source: C:\Windows\tasksche.exeCode function: 5_2_0040541F5_2_0040541F
Source: C:\Windows\tasksche.exeCode function: 5_2_004037975_2_00403797
Source: C:\Windows\tasksche.exeCode function: 5_2_004043B75_2_004043B7
Source: C:\Windows\tasksche.exeCode function: 5_2_004031BC5_2_004031BC
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Windows\tasksche.exe 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
PE file contains executable resources (Code or Archives)Show sources
Source: mssecsvc.exe.2.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.3.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Yara signature matchShow sources
Source: ETCq4qdXKF.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: ETCq4qdXKF.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.2055669822.000000000040E000.00000008.00020000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.2057425597.000000000040E000.00000008.00020000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.2464456318.0000000000710000.00000002.00020000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000003.00000000.2050081710.0000000000710000.00000002.00020000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000003.00000002.2058988316.0000000000710000.00000002.00020000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000000.2052946185.0000000000710000.00000002.00020000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.2468107416.0000000002222000.00000004.00000001.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.2466976855.0000000001D0D000.00000004.00000001.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 3.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 3.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 3.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 3.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 3.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 3.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Binary contains paths to development resourcesShow sources
Source: tasksche.exe, 00000005.00000000.2055669822.000000000040E000.00000008.00020000.sdmp, ETCq4qdXKF.dllBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.expl.evad.winDLL@10/2@0/100
Contains functionality to create servicesShow sources
Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00407C40
Source: C:\Windows\mssecsvc.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00407C40
Source: C:\Windows\tasksche.exeCode function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00401CE8
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\mssecsvc.exeCode function: 3_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,CloseHandle,CloseHandle,3_2_00407CE0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Windows\mssecsvc.exeCode function: 3_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00407C40
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Windows\mssecsvc.exeCode function: 3_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,3_2_00408090
Source: C:\Windows\mssecsvc.exeCode function: 4_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,4_2_00408090
PE file has an executable .text section and no other executable sectionShow sources
Source: ETCq4qdXKF.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\ETCq4qdXKF.dll',DllRegisterServer
Sample is known by AntivirusShow sources
Source: ETCq4qdXKF.dllVirustotal: Detection: 91%
Source: ETCq4qdXKF.dllMetadefender: Detection: 81%
Source: ETCq4qdXKF.dllReversingLabs TitaniumCloud: Detection: 89%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ETCq4qdXKF.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\ETCq4qdXKF.dll',DllRegisterServer
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ETCq4qdXKF.dll,PlayGame
Source: unknownProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknownProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: unknownProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\ETCq4qdXKF.dll',DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ETCq4qdXKF.dll,PlayGameJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
Source: C:\Windows\mssecsvc.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: ETCq4qdXKF.dllStatic file information: File size 5267459 > 1048576
PE file has a big raw sectionShow sources
Source: ETCq4qdXKF.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\tasksche.exeCode function: 5_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00401A45
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\tasksche.exeCode function: 5_2_00407710 push eax; ret 5_2_0040773E
Source: C:\Windows\tasksche.exeCode function: 5_2_004076C8 push eax; ret 5_2_004076E6

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvc.exeJump to behavior
Source: C:\Windows\mssecsvc.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Windows\mssecsvc.exeCode function: 3_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00407C40

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\mssecsvc.exeWindow / User API: threadDelayed 871Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\mssecsvc.exe TID: 2896Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\mssecsvc.exe TID: 460Thread sleep count: 871 > 30Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 460Thread sleep time: -87100s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\mssecsvc.exeLast function: Thread delayed
Source: C:\Windows\mssecsvc.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: mssecsvc.exe, 00000003.00000002.2060171208.0000000000C20000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\tasksche.exeCode function: 5_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00401A45
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\tasksche.exeCode function: 5_2_004029CC free,GetProcessHeap,HeapFree,5_2_004029CC

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet