File name:

2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry

Full analysis: https://app.any.run/tasks/dc6bca82-184e-40f7-aa8c-4de77acd83a5
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 13:25:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
wannacry
sinkhole
m0yv
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B4D0C401FD890E5EF67C11468EFD21FF

SHA1:

382AF52B91E34C122BA75CB0A0412D8834AC5C66

SHA256:

05573791DE20E9CF197C9CC784A00CAB877DCCC0A580CD412C65A227C4CC8752

SSDEEP:

98304:v4ruuZTKDGo+fzG4OqTYFSj8GZQmhTlD9I2s39xf2xRW1drKJlEeIc383Yd1X1dW:bMqujdFa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

    • WANNACRY has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

    • Reads security settings of Internet Explorer

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

    • Process drops legitimate windows executable

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

  • INFO

    • Checks supported languages

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

    • Creates files or folders in the user directory

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

    • Checks proxy server information

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)
      • slui.exe (PID: 1812)

    • Reads the computer name

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

    • The sample compiled with english language support

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

    • Failed to create an executable file in Windows directory

      • 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe (PID: 7672)

    • Reads the software policy settings

      • slui.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:20 09:03:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 36864
InitializedDataSize: 3682304
UninitializedDataSize: -
EntryPoint: 0x9a16
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #WANNACRY 2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe #WANNACRY svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1812C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7672"C:\Users\admin\Desktop\2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe" C:\Users\admin\Desktop\2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
3 806
Read events
3 806
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
76722025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:F7EEDA5F07909C1C78F4C39BDACFC705
SHA256:0B052E20FC20B8C8BE076AEF7E5D61D42345C97A4AD8E4B352661A7C01677F28
76722025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:D0910C5293573C3CE7FB33B89C4AC213
SHA256:ABED614FA34DCED966E398530A03F762F02D7486364E367FE436512FAB621D6F
76722025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:0D183A62DA51425AEABACDA0FF9983C7
SHA256:C26AA069F2729846AE725E6ADF1A54164F023FF26727889B5BEF657EF4CC6A3A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
53
DNS requests
17
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5380
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7672
2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe
GET
200
104.16.166.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
8120
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8120
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
8120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
20.223.35.26:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T132546Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=3ef84dad580249f0a64c435341530973&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967525&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358054&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
1.31 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5380
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7672
2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe
104.16.166.228:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
CLOUDFLARENET
whitelisted
5380
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7672
2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
7412
backgroundTaskHost.exe
20.31.169.57:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.131
  • 20.190.159.131
  • 20.190.159.130
  • 40.126.31.0
  • 40.126.31.2
  • 20.190.159.75
  • 20.190.159.0
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 20.197.71.89
whitelisted
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 104.16.166.228
  • 104.16.167.228
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 2.16.168.114
  • 2.16.168.124
whitelisted
pywolwnvd.biz
  • 52.11.240.239
malicious
arc.msn.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
ET MALWARE Possible WannaCry DNS Lookup 1
7672
2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe
A Network Trojan was detected
AV TROJAN Domain Sinkholed by Kryptos Logic (HTML Response)
7672
2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe
Misc activity
ET MALWARE Known Sinkhole Response Kryptos Logic
7672
2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry.exe
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_b4d0c401fd890e5ef67c11468efd21ff_wannacry