analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://mega.nz/#!Ylpj3LYY!yC5N06zT2Wxl3CnHbgtsA5-3Fp3rDKN5VTCu-J8M8dA

Full analysis: https://app.any.run/tasks/7de729a5-7fe4-42ad-b008-b67ee0d12473
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: March 02, 2019, 21:36:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
wannacryptor
Indicators:
MD5:

C156DBE1A3F718A4DC4BC9832D9096F5

SHA1:

DAF76B7A537D3A18A13838A7B902C469BC10D768

SHA256:

008D896691ADD86B5A9731D699BB2257B9FB0DAE1AA57A55B4DBE7C9DE0E73F4

SSDEEP:

3:N8X/iGEYVuSVcOdYrWZlW3kwDk:299pdvuUwDk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

    • Dropped file may contain instructions of ransomware

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
    • Writes file to Word startup folder

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
    • WannaCry Ransomware was detected

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • cmd.exe (PID: 3816)
    • Modifies files in Chrome extension folder

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
    • Loads dropped or rewritten executable

      • taskhsvc.exe (PID: 2976)
      • SearchProtocolHost.exe (PID: 3928)
    • Changes the autorun value in the registry

      • reg.exe (PID: 1520)
      • jigsaw.exe (PID: 3412)
    • Deletes shadow copies

      • cmd.exe (PID: 3028)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3028)
    • Actions looks like stealing of personal data

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • drpbx.exe (PID: 2164)
    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 1936)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • WinRAR.exe (PID: 2084)
      • @[email protected] (PID: 3636)
      • jigsaw.exe (PID: 3412)
    • Uses ATTRIB.EXE to modify file attributes

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
    • Uses ICACLS.EXE to modify access control list

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
    • Creates files like Ransomware instruction

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • drpbx.exe (PID: 2164)
    • Starts CMD.EXE for commands execution

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • @[email protected] (PID: 2272)
    • Creates files in the program directory

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • drpbx.exe (PID: 2164)
    • Connects to unusual port

      • taskhsvc.exe (PID: 2976)
    • Creates files in the user directory

      • taskhsvc.exe (PID: 2976)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • jigsaw.exe (PID: 3412)
      • drpbx.exe (PID: 2164)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3500)
    • Creates files in the Windows directory

      • wbadmin.exe (PID: 2700)
    • Starts itself from another location

      • jigsaw.exe (PID: 3412)
    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 1936)
      • vds.exe (PID: 1932)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2408)
      • firefox.exe (PID: 3832)
      • firefox.exe (PID: 3244)
      • firefox.exe (PID: 3572)
      • firefox.exe (PID: 2980)
      • firefox.exe (PID: 2844)
    • Application launched itself

      • firefox.exe (PID: 2844)
    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2844)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
      • taskhsvc.exe (PID: 2976)
      • drpbx.exe (PID: 2164)
    • Dropped object may contain TOR URL's

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
    • Dropped object may contain URL to Tor Browser

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3108)
    • Creates files in the user directory

      • firefox.exe (PID: 2844)
    • Reads settings of System Certificates

      • firefox.exe (PID: 2844)
    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 1920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
103
Monitored processes
47
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe winrar.exe #WANNACRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs @[email protected] #WANNACRY cmd.exe no specs @[email protected] no specs taskhsvc.exe searchprotocolhost.exe no specs cmd.exe vssadmin.exe no specs vssvc.exe no specs taskdl.exe no specs @[email protected] no specs cmd.exe no specs wmic.exe no specs reg.exe bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs taskdl.exe no specs @[email protected] no specs taskdl.exe no specs @[email protected] no specs winrar.exe no specs jigsaw.exe drpbx.exe taskdl.exe no specs @[email protected] no specs rundll32.exe no specs notepad.exe no specs taskdl.exe no specs @[email protected] no specs notepad.exe no specs taskdl.exe no specs @[email protected] no specs

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/#!Ylpj3LYY!yC5N06zT2Wxl3CnHbgtsA5-3Fp3rDKN5VTCu-J8M8dAC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
2408"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.0.371004064\669345918" -childID 1 -isForBrowser -prefsHandle 1436 -prefsLen 8310 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 1484 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
3244"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.6.255140475\265724514" -childID 2 -isForBrowser -prefsHandle 2516 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 2544 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
3832"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.12.756071981\869299423" -childID 3 -isForBrowser -prefsHandle 3052 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 3064 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
2980"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.18.2053749590\638902064" -childID 4 -isForBrowser -prefsHandle 7176 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 7168 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
3572"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.24.530456294\226251015" -childID 5 -isForBrowser -prefsHandle 6668 -prefsLen 11847 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 6656 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2084"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ransomware.WannaCry.zip"C:\Program Files\WinRAR\WinRAR.exe
firefox.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3108"C:\Users\admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe" C:\Users\admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DiskPart
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3188attrib +h .C:\Windows\system32\attrib.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
312icacls . /grant Everyone:F /T /C /QC:\Windows\system32\icacls.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 560
Read events
3 392
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
889
Text files
580
Unknown types
169

Dropped files

PID
Process
Filename
Type
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstorebinary
MD5:CD82F4495EAFE523B9B6B938C828611B
SHA256:576A0D2C3AD8D66BB202439B18F9FD563F92D9DDD9582A3C4CCE0ECAFD4F0908
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:D91579D4CA5C9D158E3079814B89A292
SHA256:D3721AA2701805E928CA71C3B10B6708FC0B207EF88CA0BC187E134D902BEC7A
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:707C12070C52E55C2A996AC15E219B95
SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.psetcdxl
MD5:076933FF9904D1110D896E2C525E39E5
SHA256:4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
89
DNS requests
165
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2844
firefox.exe
POST
200
88.221.144.8:80
http://ocsp.comodoca.com/
IT
der
471 b
whitelisted
2844
firefox.exe
POST
200
172.217.168.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2844
firefox.exe
POST
200
92.122.244.56:80
http://ocsp.int-x3.letsencrypt.org/
FR
der
527 b
whitelisted
2844
firefox.exe
POST
200
172.217.168.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2844
firefox.exe
POST
200
172.217.168.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2844
firefox.exe
POST
200
172.217.168.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2844
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2844
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2844
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2844
firefox.exe
POST
200
172.217.168.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2844
firefox.exe
216.58.212.170:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2844
firefox.exe
89.44.169.135:443
mega.nz
Datacenter Luxembourg S.A.
LU
suspicious
2844
firefox.exe
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2844
firefox.exe
89.44.169.132:443
eu.static.mega.co.nz
Datacenter Luxembourg S.A.
LU
suspicious
2844
firefox.exe
52.25.70.97:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2844
firefox.exe
92.122.244.56:80
ocsp.int-x3.letsencrypt.org
GTT Communications Inc.
FR
unknown
2844
firefox.exe
172.217.168.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2844
firefox.exe
52.88.150.81:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2844
firefox.exe
88.221.144.8:80
ocsp.comodoca.com
Akamai International B.V.
IT
whitelisted
2844
firefox.exe
52.33.113.226:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 88.221.144.128
whitelisted
mega.nz
  • 89.44.169.135
whitelisted
search.services.mozilla.com
  • 52.88.150.81
whitelisted
ocsp.int-x3.letsencrypt.org
  • 92.122.244.56
whitelisted
tiles.services.mozilla.com
  • 52.25.70.97
whitelisted
ocsp.digicert.com
  • 72.21.91.29
whitelisted
safebrowsing.googleapis.com
  • 216.58.212.170
whitelisted
eu.static.mega.co.nz
  • 89.44.169.132
shared
ocsp.comodoca.com
  • 88.221.144.8
whitelisted
ocsp.pki.goog
  • 172.217.168.227
whitelisted

Threats

PID
Process
Class
Message
2976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Exit Node Traffic group 24
2976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 25
2976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 585
2976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 576
2976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635
No debug info