wannacry | 89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15/01/2025, 16:46 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4467cf9b7f5c536f0766ac2851b53b7.dll
Size

5.0MB
MD5

f4467cf9b7f5c536f0766ac2851b53b7
SHA1

5c64d92015518d307b5e5856bc4e4ced71a08c2b
SHA256

89f0d1195df4ff42f0d0ff7726474b2ad6a135cbc78f255ff89b19903459bc67
SHA512

3a7bd00462040ed25e29ceef192dfcba74b81811465f5921b0a09deb4b3845e1686ed274ae12568f60ebee6fd9c6dbbc4cfd56a727f944101b1a86a38cc4c4a4
SSDEEP

24576:RbLgurihdmMSirYbcMNgef0QeQjG/D8kIqRYo:RnnMSPbcBVQej/1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3196) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 2 IoCs

pid	Process
2796	mssecsvr.exe
2104	mssecsvr.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\45VKPKEV.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\45VKPKEV.txt	mssecsvr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\UX21EWK7.txt	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\UX21EWK7.txt	mssecsvr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BB110CF7-B9D3-4E57-AA3B-4797A715DE4F}\WpadDecisionReason = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-5b-e8-4d-80-ae\WpadDecisionReason = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-5b-e8-4d-80-ae\WpadDecision = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BB110CF7-B9D3-4E57-AA3B-4797A715DE4F}\12-5b-e8-4d-80-ae	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BB110CF7-B9D3-4E57-AA3B-4797A715DE4F}\WpadDecision = "0"	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-5b-e8-4d-80-ae\WpadDecisionTime = e078ccfb6c67db01	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BB110CF7-B9D3-4E57-AA3B-4797A715DE4F}	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BB110CF7-B9D3-4E57-AA3B-4797A715DE4F}\WpadDecisionTime = e078ccfb6c67db01	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BB110CF7-B9D3-4E57-AA3B-4797A715DE4F}\WpadNetworkName = "Network 3"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-5b-e8-4d-80-ae	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvr.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvr.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2876	2908	rundll32.exe	30
PID 2908 wrote to memory of 2876	2908	rundll32.exe	30
PID 2908 wrote to memory of 2876	2908	rundll32.exe	30
PID 2908 wrote to memory of 2876	2908	rundll32.exe	30
PID 2908 wrote to memory of 2876	2908	rundll32.exe	30
PID 2908 wrote to memory of 2876	2908	rundll32.exe	30
PID 2908 wrote to memory of 2876	2908	rundll32.exe	30
PID 2876 wrote to memory of 2796	2876	rundll32.exe	31
PID 2876 wrote to memory of 2796	2876	rundll32.exe	31
PID 2876 wrote to memory of 2796	2876	rundll32.exe	31
PID 2876 wrote to memory of 2796	2876	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4467cf9b7f5c536f0766ac2851b53b7.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4467cf9b7f5c536f0766ac2851b53b7.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2796

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2104

Network

DNS

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

mssecsvr.exe

Remote address:

8.8.8.8:53

Request

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

IN A

Response

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

IN A

103.224.212.215
GET

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/

mssecsvr.exe

Remote address:

103.224.212.215:80

Request

GET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

date: Wed, 15 Jan 2025 16:46:10 GMT
server: Apache
set-cookie: __tad=1736959570.4286930; expires=Sat, 13-Jan-2035 16:46:10 GMT; Max-Age=315360000
location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0346-100f-b273-5591ca7c93bc
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
DNS

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

mssecsvr.exe

Remote address:

8.8.8.8:53

Request

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

IN A

Response

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

IN CNAME

77026.bodis.com

77026.bodis.com

IN A

199.59.243.228
GET

http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0346-100f-b273-5591ca7c93bc

mssecsvr.exe

Remote address:

199.59.243.228:80

Request

GET /?subid1=20250116-0346-100f-b273-5591ca7c93bc HTTP/1.1
Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Cache-Control: no-cache
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

date: Wed, 15 Jan 2025 16:46:09 GMT
content-type: text/html; charset=utf-8
content-length: 1262
x-request-id: 493622f4-f4b9-4970-b915-d28c7b06741d
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_w2B+GATDUosO8hxHmSuYyJKYa37rwLzMNcdCIXMp/SRlXBP9WfMb3er1ZbwtHonZ+vuGJbJLck5G22HdMw/4uw==
set-cookie: parking_session=493622f4-f4b9-4970-b915-d28c7b06741d; expires=Wed, 15 Jan 2025 17:01:10 GMT; path=/
GET

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/

mssecsvr.exe

Remote address:

103.224.212.215:80

Request

GET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Cache-Control: no-cache

Response

HTTP/1.1 302 Found

date: Wed, 15 Jan 2025 16:46:11 GMT
server: Apache
set-cookie: __tad=1736959571.7622872; expires=Sat, 13-Jan-2035 16:46:11 GMT; Max-Age=315360000
location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0346-118d-9d0d-8da093224933
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
GET

http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0346-118d-9d0d-8da093224933

mssecsvr.exe

Remote address:

199.59.243.228:80

Request

GET /?subid1=20250116-0346-118d-9d0d-8da093224933 HTTP/1.1
Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Cache-Control: no-cache
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

date: Wed, 15 Jan 2025 16:46:11 GMT
content-type: text/html; charset=utf-8
content-length: 1262
x-request-id: c6dbae34-9610-4d9b-ae07-013b4efc3c39
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bwQ44E+laBDsF+5cWAa8ifPaunawc4NEW7VAWb56VGFH1SOG/eib8Z5HubDrOWtzmF8WmODXajgvsdFzv4PAuA==
set-cookie: parking_session=c6dbae34-9610-4d9b-ae07-013b4efc3c39; expires=Wed, 15 Jan 2025 17:01:11 GMT; path=/

103.224.212.215:80

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/

http

mssecsvr.exe

330 B
537 B
5
4

HTTP Request

GET http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/

HTTP Response

302
199.59.243.228:80

http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0346-100f-b273-5591ca7c93bc

http

mssecsvr.exe

543 B
2.8kB
8
6

HTTP Request

GET http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0346-100f-b273-5591ca7c93bc

HTTP Response

200
103.224.212.215:80

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/

http

mssecsvr.exe

330 B
537 B
5
4

HTTP Request

GET http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/

HTTP Response

302
199.59.243.228:80

http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0346-118d-9d0d-8da093224933

http

mssecsvr.exe

537 B
2.8kB
8
6

HTTP Request

GET http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250116-0346-118d-9d0d-8da093224933

HTTP Response

200
34.80.119.2:445

mssecsvr.exe

52 B
1
10.127.0.1:445

mssecsvr.exe

52 B
1
10.127.1.1:445

mssecsvr.exe
10.127.2.1:445

mssecsvr.exe
10.127.3.1:445

mssecsvr.exe
10.127.4.1:445

mssecsvr.exe
10.127.5.1:445

mssecsvr.exe
10.127.6.1:445

mssecsvr.exe
10.127.7.1:445

mssecsvr.exe
10.127.8.1:445

mssecsvr.exe
10.127.9.1:445

mssecsvr.exe
10.127.10.1:445

mssecsvr.exe
144.208.48.199:445

mssecsvr.exe

52 B
1
10.127.11.1:445

mssecsvr.exe
10.127.12.1:445

mssecsvr.exe
167.98.121.29:445

mssecsvr.exe

52 B
1
25.249.232.191:445

mssecsvr.exe

52 B
1
10.127.13.1:445

mssecsvr.exe
10.127.14.1:445

mssecsvr.exe
10.127.15.1:445

mssecsvr.exe
10.127.16.1:445

mssecsvr.exe
10.127.17.1:445

mssecsvr.exe
10.127.18.1:445

mssecsvr.exe
10.127.19.1:445

mssecsvr.exe
10.127.20.1:445

mssecsvr.exe
10.127.21.1:445

mssecsvr.exe
10.127.22.1:445

mssecsvr.exe
10.127.23.1:445

mssecsvr.exe
10.127.24.1:445

mssecsvr.exe
10.127.25.1:445

mssecsvr.exe
10.127.26.1:445

mssecsvr.exe
10.127.27.1:445

mssecsvr.exe
10.127.28.1:445

mssecsvr.exe
10.127.29.1:445

mssecsvr.exe
10.127.30.1:445

mssecsvr.exe
10.127.31.1:445

mssecsvr.exe
10.127.32.1:445

mssecsvr.exe
94.107.159.186:445

mssecsvr.exe

52 B
1
8.54.30.0:445

mssecsvr.exe

52 B
1
37.114.90.248:445

mssecsvr.exe

52 B
1
110.25.137.202:445

mssecsvr.exe

52 B
1
204.232.52.54:445

mssecsvr.exe

52 B
1
10.127.33.1:445

mssecsvr.exe
10.127.34.1:445

mssecsvr.exe
10.127.35.1:445

mssecsvr.exe
10.127.36.1:445

mssecsvr.exe
10.127.37.1:445

mssecsvr.exe
10.127.38.1:445

mssecsvr.exe
10.127.39.1:445

mssecsvr.exe
10.127.40.1:445

mssecsvr.exe
10.127.41.1:445

mssecsvr.exe
10.127.42.1:445

mssecsvr.exe
10.127.43.1:445

mssecsvr.exe
10.127.44.1:445

mssecsvr.exe
10.127.45.1:445

mssecsvr.exe
10.127.46.1:445

mssecsvr.exe
10.127.47.1:445

mssecsvr.exe
10.127.48.1:445

mssecsvr.exe
10.127.49.1:445

mssecsvr.exe
10.127.50.1:445

mssecsvr.exe
10.127.51.1:445

mssecsvr.exe
12.10.115.140:445

mssecsvr.exe

52 B
1
10.127.52.1:445

mssecsvr.exe
10.127.53.1:445

mssecsvr.exe
10.127.54.1:445

mssecsvr.exe
114.122.124.129:445

mssecsvr.exe

52 B
1
161.252.144.245:445

mssecsvr.exe

52 B
1
88.95.87.204:445

mssecsvr.exe

52 B
1
154.207.150.97:445

mssecsvr.exe

104 B
80 B
2
2
92.51.27.46:445

mssecsvr.exe

52 B
1
100.166.84.87:445

mssecsvr.exe

52 B
1
10.127.55.1:445

mssecsvr.exe
10.127.56.1:445

mssecsvr.exe
10.127.57.1:445

mssecsvr.exe
10.127.58.1:445

mssecsvr.exe
10.127.59.1:445

mssecsvr.exe
10.127.60.1:445

mssecsvr.exe
10.127.61.1:445

mssecsvr.exe
10.127.62.1:445

mssecsvr.exe
10.127.63.1:445

mssecsvr.exe
10.127.64.1:445

mssecsvr.exe
10.127.65.1:445

mssecsvr.exe
10.127.66.1:445

mssecsvr.exe
10.127.67.1:445

mssecsvr.exe
10.127.68.1:445

mssecsvr.exe
10.127.69.1:445

mssecsvr.exe
10.127.70.1:445

mssecsvr.exe
41.63.94.100:445

mssecsvr.exe

52 B
1
10.127.71.1:445

mssecsvr.exe
10.127.72.1:445

mssecsvr.exe
164.105.147.233:445

mssecsvr.exe

52 B
1
213.159.91.56:445

mssecsvr.exe

52 B
1
32.129.239.42:445

mssecsvr.exe

52 B
1
35.98.49.128:445

mssecsvr.exe

52 B
1
68.106.208.240:445

mssecsvr.exe

52 B
1
170.152.140.237:445

mssecsvr.exe

52 B
1
10.127.73.1:445

mssecsvr.exe
198.152.180.31:445

mssecsvr.exe

52 B
1
112.47.171.31:445

mssecsvr.exe

52 B
1
10.127.74.1:445

mssecsvr.exe
10.127.75.1:445

mssecsvr.exe
10.127.76.1:445

mssecsvr.exe
10.127.77.1:445

mssecsvr.exe
10.127.78.1:445

mssecsvr.exe
10.127.79.1:445

mssecsvr.exe
10.127.80.1:445

mssecsvr.exe
10.127.81.1:445

mssecsvr.exe
10.127.82.1:445

mssecsvr.exe
10.127.83.1:445

mssecsvr.exe
10.127.84.1:445

mssecsvr.exe
10.127.85.1:445

mssecsvr.exe
10.127.86.1:445

mssecsvr.exe
10.127.87.1:445

mssecsvr.exe
10.127.88.1:445

mssecsvr.exe
29.201.35.156:445

mssecsvr.exe

52 B
1
10.127.89.1:445

mssecsvr.exe
10.127.90.1:445

mssecsvr.exe
24.173.183.78:445

mssecsvr.exe

52 B
1
7.30.10.168:445

mssecsvr.exe

52 B
1
158.85.248.176:445

mssecsvr.exe

52 B
1
41.27.7.238:445

mssecsvr.exe

52 B
1
46.213.26.195:445

mssecsvr.exe

52 B
1
12.191.116.56:445

mssecsvr.exe

52 B
1
105.144.60.42:445

mssecsvr.exe

52 B
1
37.0.98.126:445

mssecsvr.exe

52 B
1
193.3.131.117:445

mssecsvr.exe

52 B
1
10.127.91.1:445

mssecsvr.exe
10.127.92.1:445

mssecsvr.exe
10.127.93.1:445

mssecsvr.exe
10.127.94.1:445

mssecsvr.exe
10.127.95.1:445

mssecsvr.exe
10.127.96.1:445

mssecsvr.exe
10.127.97.1:445

mssecsvr.exe
10.127.98.1:445

mssecsvr.exe
10.127.99.1:445

mssecsvr.exe
10.127.100.1:445

mssecsvr.exe
10.127.101.1:445

mssecsvr.exe
10.127.102.1:445

mssecsvr.exe
10.127.103.1:445

mssecsvr.exe
10.127.104.1:445

mssecsvr.exe
10.127.105.1:445

mssecsvr.exe
10.127.106.1:445

mssecsvr.exe
10.127.107.1:445

mssecsvr.exe
10.127.108.1:445

mssecsvr.exe
10.127.109.1:445

mssecsvr.exe
10.127.110.1:445

mssecsvr.exe
42.233.245.115:445

mssecsvr.exe

52 B
1
140.52.231.85:445

mssecsvr.exe

52 B
1
209.120.23.121:445

mssecsvr.exe

52 B
1
65.155.13.188:445

mssecsvr.exe

52 B
1
163.230.38.200:445

mssecsvr.exe

52 B
1
31.172.139.2:445

mssecsvr.exe

52 B
1
98.11.177.96:445

mssecsvr.exe

52 B
1
217.111.179.49:445

mssecsvr.exe

52 B
1
3.131.42.227:445

mssecsvr.exe

104 B
80 B
2
2
128.49.216.15:445

mssecsvr.exe

52 B
1
100.164.231.250:445

mssecsvr.exe

52 B
1
205.178.190.202:445

mssecsvr.exe

52 B
1
10.127.111.1:445

mssecsvr.exe
10.127.112.1:445

mssecsvr.exe
10.127.113.1:445

mssecsvr.exe
10.127.114.1:445

mssecsvr.exe
10.127.115.1:445

mssecsvr.exe
10.127.116.1:445

mssecsvr.exe
10.127.117.1:445

mssecsvr.exe
10.127.118.1:445

mssecsvr.exe
10.127.119.1:445

mssecsvr.exe
10.127.120.1:445

mssecsvr.exe
10.127.121.1:445

mssecsvr.exe
10.127.122.1:445

mssecsvr.exe
10.127.123.1:445

mssecsvr.exe
10.127.124.1:445

mssecsvr.exe
10.127.125.1:445

mssecsvr.exe
10.127.126.1:445

mssecsvr.exe
10.127.127.1:445

mssecsvr.exe
10.127.128.1:445

mssecsvr.exe
10.127.129.1:445

mssecsvr.exe
10.127.130.1:445

mssecsvr.exe
10.127.131.1:445

mssecsvr.exe
42.202.158.151:445

mssecsvr.exe

52 B
1
190.111.237.214:445

mssecsvr.exe

52 B
1
207.38.50.93:445

mssecsvr.exe

52 B
1
28.132.59.26:445

mssecsvr.exe

52 B
1
198.242.167.141:445

mssecsvr.exe

52 B
1
54.115.111.246:445

mssecsvr.exe

52 B
1
115.124.247.169:445

mssecsvr.exe

52 B
1
134.95.224.161:445

mssecsvr.exe

52 B
1
64.117.20.252:445

mssecsvr.exe

52 B
1
20.72.142.245:445

mssecsvr.exe

52 B
1
104.157.134.72:445

mssecsvr.exe

52 B
1
59.60.181.51:445

mssecsvr.exe

52 B
1
4.69.86.79:445

mssecsvr.exe

52 B
1
30.145.151.203:445

mssecsvr.exe

52 B
1
71.134.139.149:445

mssecsvr.exe

52 B
1
10.127.132.1:445

mssecsvr.exe
10.127.133.1:445

mssecsvr.exe
10.127.134.1:445

mssecsvr.exe
10.127.135.1:445

mssecsvr.exe
10.127.136.1:445

mssecsvr.exe
10.127.137.1:445

mssecsvr.exe
10.127.138.1:445

mssecsvr.exe
10.127.139.1:445

mssecsvr.exe
10.127.140.1:445

mssecsvr.exe
10.127.141.1:445

mssecsvr.exe
10.127.142.1:445

mssecsvr.exe
10.127.143.1:445

mssecsvr.exe
10.127.144.1:445

mssecsvr.exe
10.127.145.1:445

mssecsvr.exe
10.127.146.1:445

mssecsvr.exe
10.127.147.1:445

mssecsvr.exe
10.127.148.1:445

mssecsvr.exe
10.127.149.1:445

mssecsvr.exe
10.127.150.1:445

mssecsvr.exe
96.190.231.64:445

mssecsvr.exe

52 B
1
10.127.151.1:445

mssecsvr.exe
57.250.105.19:445

mssecsvr.exe

52 B
1
176.86.82.17:445

mssecsvr.exe

52 B
1
193.247.112.187:445

mssecsvr.exe

52 B
1
201.107.70.162:445

mssecsvr.exe

52 B
1
159.169.1.31:445

mssecsvr.exe

52 B
1
93.43.61.43:445

mssecsvr.exe

52 B
1
92.173.139.28:445

mssecsvr.exe

52 B
1
44.238.31.207:445

mssecsvr.exe

52 B
1
182.84.127.148:445

mssecsvr.exe

52 B
1
10.127.152.1:445

mssecsvr.exe
128.138.13.204:445

mssecsvr.exe

52 B
1
116.95.205.168:445

mssecsvr.exe

52 B
1
68.205.48.234:445

mssecsvr.exe

52 B
1
221.64.3.126:445

mssecsvr.exe

52 B
1
144.249.161.184:445

mssecsvr.exe

52 B
1
10.194.83.93:445

mssecsvr.exe

52 B
1
10.127.153.1:445

mssecsvr.exe
10.127.154.1:445

mssecsvr.exe
10.127.155.1:445

mssecsvr.exe
10.127.156.1:445

mssecsvr.exe
10.127.157.1:445

mssecsvr.exe
10.127.158.1:445

mssecsvr.exe
10.127.159.1:445

mssecsvr.exe
10.127.160.1:445

mssecsvr.exe
10.127.161.1:445

mssecsvr.exe
10.127.162.1:445

mssecsvr.exe
10.127.163.1:445

mssecsvr.exe
10.127.164.1:445

mssecsvr.exe
10.127.165.1:445

mssecsvr.exe
10.127.166.1:445

mssecsvr.exe
10.127.167.1:445

mssecsvr.exe
10.127.168.1:445

mssecsvr.exe
10.127.169.1:445

mssecsvr.exe
32.16.38.22:445

mssecsvr.exe

52 B
1
122.89.187.150:445

mssecsvr.exe

52 B
1
118.197.28.214:445

mssecsvr.exe

52 B
1
153.141.211.107:445

mssecsvr.exe

52 B
1
118.113.191.54:445

mssecsvr.exe

52 B
1
214.16.10.165:445

mssecsvr.exe

52 B
1
223.147.98.40:445

mssecsvr.exe

52 B
1
117.66.10.17:445

mssecsvr.exe

52 B
1
36.130.198.137:445

mssecsvr.exe

52 B
1
10.127.170.1:445

mssecsvr.exe
10.127.171.1:445

mssecsvr.exe
10.127.172.1:445

mssecsvr.exe
10.127.173.1:445

mssecsvr.exe
10.127.174.1:445

mssecsvr.exe
10.127.175.1:445

mssecsvr.exe
10.127.176.1:445

mssecsvr.exe
10.127.177.1:445

mssecsvr.exe
10.127.178.1:445

mssecsvr.exe
10.127.179.1:445

mssecsvr.exe
212.79.93.32:445

mssecsvr.exe

52 B
1
10.127.180.1:445

mssecsvr.exe
215.245.62.72:445

mssecsvr.exe

52 B
1
10.127.181.1:445

mssecsvr.exe
10.127.182.1:445

mssecsvr.exe
10.127.183.1:445

mssecsvr.exe
87.63.184.0:445

mssecsvr.exe

52 B
1
66.249.170.251:445

mssecsvr.exe

52 B
1
10.127.184.1:445

mssecsvr.exe
10.127.185.1:445

mssecsvr.exe
10.127.186.1:445

mssecsvr.exe
2.121.199.126:445

mssecsvr.exe

52 B
1
15.102.245.113:445

mssecsvr.exe

52 B
1
10.127.187.1:445

mssecsvr.exe
13.182.189.33:445

mssecsvr.exe

52 B
1
134.82.17.96:445

mssecsvr.exe

52 B
1
10.127.188.1:445

mssecsvr.exe
10.127.189.1:445

mssecsvr.exe
201.65.29.174:445

mssecsvr.exe

52 B
1
108.240.82.33:445

mssecsvr.exe

52 B
1
196.29.252.182:445

mssecsvr.exe

52 B
1
221.178.87.59:445

mssecsvr.exe

52 B
1
3.243.10.87:445

mssecsvr.exe

52 B
1
117.114.92.65:445

mssecsvr.exe

52 B
1
35.245.227.139:445

mssecsvr.exe

52 B
1
155.97.231.111:445

mssecsvr.exe

52 B
1
213.213.160.63:445

mssecsvr.exe

52 B
1
126.230.89.109:445

mssecsvr.exe

52 B
1
10.127.190.1:445

mssecsvr.exe
10.127.191.1:445

mssecsvr.exe
10.127.192.1:445

mssecsvr.exe
10.127.193.1:445

mssecsvr.exe
10.127.194.1:445

mssecsvr.exe
10.127.195.1:445

mssecsvr.exe
10.127.196.1:445

mssecsvr.exe
10.127.197.1:445

mssecsvr.exe
10.127.198.1:445

mssecsvr.exe
10.127.199.1:445

mssecsvr.exe
48.106.49.4:445

mssecsvr.exe

52 B
1
10.127.200.1:445

mssecsvr.exe
35.40.35.136:445

mssecsvr.exe

52 B
1
10.127.201.1:445

mssecsvr.exe
206.246.117.135:445

mssecsvr.exe

52 B
1
10.127.202.1:445

mssecsvr.exe
214.35.70.64:445

mssecsvr.exe

52 B
1
10.127.203.1:445

mssecsvr.exe
10.127.204.1:445

mssecsvr.exe
10.127.205.1:445

mssecsvr.exe
122.220.62.67:445

mssecsvr.exe

52 B
1
69.125.254.85:445

mssecsvr.exe

52 B
1
10.127.206.1:445

mssecsvr.exe
10.127.207.1:445

mssecsvr.exe
10.127.208.1:445

mssecsvr.exe
120.242.165.249:445

mssecsvr.exe

52 B
1
10.127.209.1:445

mssecsvr.exe
207.126.221.207:445

mssecsvr.exe

52 B
1
209.34.27.125:445

mssecsvr.exe

104 B
80 B
2
2
132.64.87.33:445

mssecsvr.exe

52 B
1
175.40.151.183:445

mssecsvr.exe

52 B
1
24.203.138.184:445

mssecsvr.exe

52 B
1
207.64.165.15:445

mssecsvr.exe

52 B
1
138.113.123.0:445

mssecsvr.exe

52 B
1
191.120.84.68:445

mssecsvr.exe

52 B
1
2.182.196.8:445

mssecsvr.exe

52 B
1
88.198.14.239:445

mssecsvr.exe

52 B
1
104.54.155.113:445

mssecsvr.exe

52 B
1
132.84.153.220:445

mssecsvr.exe

52 B
1
134.114.46.16:445

mssecsvr.exe

52 B
1
26.184.167.68:445

mssecsvr.exe

52 B
1
10.127.210.1:445

mssecsvr.exe
10.127.211.1:445

mssecsvr.exe
10.127.212.1:445

mssecsvr.exe
10.127.213.1:445

mssecsvr.exe
10.127.214.1:445

mssecsvr.exe
10.127.215.1:445

mssecsvr.exe
10.127.216.1:445

mssecsvr.exe
10.127.217.1:445

mssecsvr.exe
10.127.218.1:445

mssecsvr.exe
10.127.219.1:445

mssecsvr.exe
10.127.220.1:445

mssecsvr.exe
108.72.123.2:445

mssecsvr.exe

52 B
1
176.195.138.64:445

mssecsvr.exe

52 B
1
10.127.221.1:445

mssecsvr.exe
163.70.129.28:445

mssecsvr.exe

52 B
1
10.127.222.1:445

mssecsvr.exe
62.12.128.60:445

mssecsvr.exe

52 B
1
10.127.223.1:445

mssecsvr.exe
165.205.35.236:445

mssecsvr.exe

52 B
1
10.127.224.1:445

mssecsvr.exe
137.171.84.147:445

mssecsvr.exe

52 B
1
10.127.225.1:445

mssecsvr.exe
10.127.226.1:445

mssecsvr.exe
10.127.227.1:445

mssecsvr.exe
124.220.181.217:445

mssecsvr.exe

52 B
1
31.243.227.180:445

mssecsvr.exe

52 B
1
10.127.228.1:445

mssecsvr.exe
10.127.229.1:445

mssecsvr.exe
10.127.230.1:445

mssecsvr.exe
205.226.246.84:445

mssecsvr.exe

52 B
1
169.123.28.123:445

mssecsvr.exe

52 B
1
93.62.36.29:445

mssecsvr.exe

52 B
1
176.8.116.2:445

mssecsvr.exe

52 B
1
169.207.128.144:445

mssecsvr.exe

52 B
1
93.6.200.56:445

mssecsvr.exe

52 B
1
1.18.56.153:445

mssecsvr.exe

52 B
1
66.203.185.17:445

mssecsvr.exe

52 B
1
171.153.148.225:445

mssecsvr.exe

52 B
1
108.60.6.165:445

mssecsvr.exe

52 B
1
66.232.40.134:445

mssecsvr.exe

52 B
1
124.176.240.243:445

mssecsvr.exe

52 B
1
19.191.196.202:445

mssecsvr.exe

52 B
1
172.37.32.145:445

mssecsvr.exe

52 B
1
10.127.231.1:445

mssecsvr.exe
10.127.232.1:445

mssecsvr.exe
10.127.233.1:445

mssecsvr.exe
10.127.234.1:445

mssecsvr.exe
10.127.235.1:445

mssecsvr.exe
10.127.236.1:445

mssecsvr.exe
10.127.237.1:445

mssecsvr.exe
10.127.238.1:445

mssecsvr.exe
10.127.239.1:445

mssecsvr.exe
10.127.240.1:445

mssecsvr.exe
10.127.241.1:445

mssecsvr.exe
22.185.108.4:445

mssecsvr.exe

52 B
1
10.127.242.1:445

mssecsvr.exe
115.244.139.76:445

mssecsvr.exe

52 B
1
176.52.112.23:445

mssecsvr.exe

52 B
1
173.22.248.62:445

mssecsvr.exe

52 B
1
58.247.63.183:445

mssecsvr.exe

52 B
1
10.127.243.1:445

mssecsvr.exe
71.125.137.200:445

mssecsvr.exe

52 B
1
10.127.244.1:445

mssecsvr.exe
123.29.223.166:445

mssecsvr.exe

52 B
1
10.127.245.1:445

mssecsvr.exe
177.54.208.190:445

mssecsvr.exe

52 B
1
10.127.246.1:445

mssecsvr.exe
62.79.85.60:445

mssecsvr.exe

52 B
1
10.127.247.1:445

mssecsvr.exe
10.127.248.1:445

mssecsvr.exe
37.31.74.144:445

mssecsvr.exe

52 B
1
10.127.249.1:445

mssecsvr.exe
195.212.149.245:445

mssecsvr.exe

52 B
1
163.12.228.93:445

mssecsvr.exe

52 B
1
137.191.160.59:445

mssecsvr.exe

52 B
1
138.171.197.11:445

mssecsvr.exe

52 B
1
137.99.188.59:445

mssecsvr.exe

52 B
1
206.189.234.132:445

mssecsvr.exe

52 B
1
219.130.184.244:445

mssecsvr.exe

52 B
1
147.112.195.7:445

mssecsvr.exe

52 B
1
11.222.10.10:445

mssecsvr.exe

52 B
1
22.95.150.104:445

mssecsvr.exe

52 B
1
146.61.185.114:445

mssecsvr.exe

52 B
1
62.6.25.201:445

mssecsvr.exe

52 B
1
124.32.156.35:445

mssecsvr.exe

52 B
1
118.45.101.129:445

mssecsvr.exe

52 B
1
42.244.73.78:445

mssecsvr.exe

52 B
1
10.127.250.1:445

mssecsvr.exe
10.127.251.1:445

mssecsvr.exe
10.127.252.1:445

mssecsvr.exe
10.127.253.1:445

mssecsvr.exe
10.127.254.1:445

mssecsvr.exe
10.127.255.1:445

mssecsvr.exe
10.127.0.2:445

mssecsvr.exe
10.127.1.2:445

mssecsvr.exe
10.127.2.2:445

mssecsvr.exe
10.127.3.2:445

mssecsvr.exe
10.127.4.2:445

mssecsvr.exe
46.88.148.230:445

mssecsvr.exe

52 B
1
10.127.5.2:445

mssecsvr.exe
10.127.6.2:445

mssecsvr.exe
10.127.7.2:445

mssecsvr.exe
190.253.142.143:445

mssecsvr.exe

52 B
1
190.174.146.51:445

mssecsvr.exe

52 B
1
10.127.8.2:445

mssecsvr.exe
35.42.132.67:445

mssecsvr.exe

52 B
1
62.146.3.144:445

mssecsvr.exe

52 B
1
222.212.64.14:445

mssecsvr.exe

52 B
1
128.79.132.95:445

mssecsvr.exe

52 B
1
10.127.9.2:445

mssecsvr.exe
134.199.0.204:445

mssecsvr.exe

52 B
1
10.127.10.2:445

mssecsvr.exe
163.245.180.130:445

mssecsvr.exe

52 B
1
96.240.58.223:445

mssecsvr.exe

52 B
1
10.127.11.2:445

mssecsvr.exe
137.115.10.108:445

mssecsvr.exe

52 B
1
214.94.208.103:445

mssecsvr.exe

52 B
1
82.95.79.202:445

mssecsvr.exe

52 B
1
79.197.80.127:445

mssecsvr.exe

52 B
1
70.112.33.18:445

mssecsvr.exe

52 B
1
118.44.31.12:445

mssecsvr.exe

52 B
1
154.22.15.76:445

mssecsvr.exe

52 B
1
37.185.18.1:445

mssecsvr.exe

52 B
1
205.226.228.45:445

mssecsvr.exe

52 B
1
148.43.74.186:445

mssecsvr.exe

52 B
1
70.179.16.28:445

mssecsvr.exe

52 B
1
74.76.94.19:445

mssecsvr.exe

52 B
1
212.222.230.29:445

mssecsvr.exe

52 B
1
124.38.125.110:445

mssecsvr.exe

52 B
1
54.83.81.113:445

mssecsvr.exe

52 B
1
115.235.111.180:445

mssecsvr.exe

52 B
1
5.28.70.62:445

mssecsvr.exe

52 B
1
10.127.12.2:445

mssecsvr.exe
10.127.13.2:445

mssecsvr.exe
10.127.14.2:445

mssecsvr.exe
10.127.15.2:445

mssecsvr.exe
10.127.16.2:445

mssecsvr.exe
10.127.17.2:445

mssecsvr.exe
10.127.18.2:445

mssecsvr.exe
10.127.19.2:445

mssecsvr.exe
10.127.20.2:445

mssecsvr.exe
10.127.21.2:445

mssecsvr.exe
10.127.22.2:445

mssecsvr.exe
10.127.23.2:445

mssecsvr.exe
10.127.24.2:445

mssecsvr.exe
10.127.25.2:445

mssecsvr.exe
28.83.136.209:445

mssecsvr.exe

52 B
1
10.127.26.2:445

mssecsvr.exe
56.139.246.177:445

mssecsvr.exe

52 B
1
122.254.181.187:445

mssecsvr.exe

52 B
1
10.127.27.2:445

mssecsvr.exe
10.127.28.2:445

mssecsvr.exe
10.127.29.2:445

mssecsvr.exe
80.30.184.115:445

mssecsvr.exe

52 B
1
83.188.218.198:445

mssecsvr.exe

52 B
1
10.127.30.2:445

mssecsvr.exe
96.80.2.207:445

mssecsvr.exe

52 B
1
52.209.59.31:445

mssecsvr.exe

52 B
1

8.8.8.8:53

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

dns

mssecsvr.exe

95 B
111 B
1
1

DNS Request

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

DNS Response

103.224.212.215
8.8.8.8:53

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

dns

mssecsvr.exe

96 B
138 B
1
1

DNS Request

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

DNS Response

199.59.243.228

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
835246cd3690184218773906a49d8328

SHA1
b2dac297dcbb073df798a3dd6558e88b4e0077e2

SHA256
3cd461eac607ef830a2a34430ae0eebc13625b4bde5fce5579dd68eba8e47cfe

SHA512
9c454c1bc39b5155cf065c70fb0a6743cd7e0f119839e6bd8aae4c7b5605e364b2bcfcc8d6f97bd68fd48ff1a65291b829a1d2ea8ddba1cdacd475c8d8ee17ec

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.