File name:

mssecsvc[2].bin

Full analysis: https://app.any.run/tasks/e4d785a0-a3d5-4b94-b1f5-de47300db4a9
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 05:37:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
wannacry
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

0C694193CEAC8BFB016491FFB534EB7C

SHA1:

3AFA73283D1E17DE1BDE6CC14E19417E70FC9554

SHA256:

DBF3890B782AC04136C3336814EEF97E3C0F4133F9592E882C131C179161B27B

SSDEEP:

98304:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:yDqPe1Cxcxk3ZAEUadzR8yc4HI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WANNACRY has been detected (SURICATA)

      • mssecsvc[2].bin.exe (PID: 3680)
      • svchost.exe (PID: 2192)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • mssecsvc[2].bin.exe (PID: 3680)

  • INFO

    • Checks proxy server information

      • mssecsvc[2].bin.exe (PID: 3680)

    • Reads the computer name

      • mssecsvc[2].bin.exe (PID: 3680)

    • Checks supported languages

      • mssecsvc[2].bin.exe (PID: 3680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x9a16
UninitializedDataSize: -
InitializedDataSize: 3682304
CodeSize: 36864
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2010:11:20 09:03:08+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #WANNACRY mssecsvc[2].bin.exe #WANNACRY svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
3680"C:\Users\admin\mssecsvc[2].bin.exe" C:\Users\admin\mssecsvc[2].bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\mssecsvc[2].bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
432
Read events
429
Write events
3
Delete events
0

Modification events

(PID) Process:(3680) mssecsvc[2].bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3680) mssecsvc[2].bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3680) mssecsvc[2].bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
100
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3680
mssecsvc[2].bin.exe
GET
404
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3508
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3680
mssecsvc[2].bin.exe
104.16.167.228:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
CLOUDFLARENET
whitelisted
3508
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.209.176:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 104.16.167.228
  • 104.16.166.228
malicious
www.bing.com
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.187
  • 2.23.209.149
  • 2.23.209.177
  • 2.23.209.148
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.136
  • 20.190.160.17
  • 40.126.32.68
  • 40.126.32.74
  • 20.190.160.20
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
  • 2a01:111:f100:9001::1761:914d
whitelisted
206.23.85.13.in-addr.arpa
unknown
d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Possible WannaCry DNS Lookup 1
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
mssecsvc[2].bin