File name:

wormlocker.zip

Full analysis: https://app.any.run/tasks/d7a96923-30e2-4768-953e-5d94285c0945
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: April 25, 2025, 03:20:52
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
wormlocker
ransomware
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

91CF2586B60B7D7B93C42E71877868EC

SHA1:

64FC3726753697A379C6B9CE3C60312C5F174AEA

SHA256:

15C7AEA528C2C94D585217EC6C0C78CB388053378606E3883E428CBD2D2BD595

SSDEEP:

6144:9+M2MW5bZwOkxUdhm1nEES8SlqTqqdm685BINYrPis2ZG1848A:9HIZwOHdwnEEj4qoF5eePyZG1+A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables task manager

      • worm.exe (PID: 5872)

    • Changes the login/logoff helper path in the registry

      • WormLocker2.0.exe (PID: 3620)

    • WORMLOCKER has been detected

      • worm.exe (PID: 5872)

    • WORMLOCKER has been detected (YARA)

      • worm.exe (PID: 5872)

  • SUSPICIOUS

    • Reads the Internet Settings

      • worm.exe (PID: 5872)
      • OpenWith.exe (PID: 4132)
      • WormLocker2.0.exe (PID: 3620)
      • wscript.exe (PID: 5872)

    • Reads security settings of Internet Explorer

      • worm.exe (PID: 5872)
      • WormLocker2.0.exe (PID: 3620)

    • Reads the date of Windows installation

      • worm.exe (PID: 5872)
      • WormLocker2.0.exe (PID: 3620)

    • Starts CMD.EXE for commands execution

      • worm.exe (PID: 5872)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 5780)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 5780)

    • Executable content was dropped or overwritten

      • worm.exe (PID: 5872)

    • The process executes VB scripts

      • WormLocker2.0.exe (PID: 3620)

    • Process drops legitimate windows executable

      • worm.exe (PID: 5872)

    • The process checks if it is being run in the virtual environment

      • icacls.exe (PID: 2472)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1340)

    • The sample compiled with english language support

      • worm.exe (PID: 5872)

    • Reads the machine GUID from the registry

      • worm.exe (PID: 5872)
      • WormLocker2.0.exe (PID: 3620)

    • Manual execution by a user

      • worm.exe (PID: 5872)
      • worm.exe (PID: 4780)
      • OpenWith.exe (PID: 4132)
      • rundll32.exe (PID: 1800)
      • rundll32.exe (PID: 1916)
      • rundll32.exe (PID: 5344)

    • Checks supported languages

      • worm.exe (PID: 5872)
      • WormLocker2.0.exe (PID: 3620)

    • Reads the computer name

      • worm.exe (PID: 5872)
      • WormLocker2.0.exe (PID: 3620)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 4132)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 4132)
      • WormLocker2.0.exe (PID: 3620)

    • Creates files or folders in the user directory

      • worm.exe (PID: 5872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2025:04:23 00:27:08
ZipCRC: 0xd8423c30
ZipCompressedSize: 204427
ZipUncompressedSize: 321536
ZipFileName: worm.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
13
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe worm.exe no specs #WORMLOCKER worm.exe cmd.exe no specs conhost.exe no specs takeown.exe no specs icacls.exe no specs wormlocker2.0.exe openwith.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1340"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\wormlocker.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1800"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Downloads\sourcesfloor.jpgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcp_win.dll
1916"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Downloads\hostingpricing.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcp_win.dll
2472icacls C:\Windows\System32 /grant "admin:F"C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
3620"C:\Windows\System32\WormLocker2.0.exe" C:\Windows\System32\WormLocker2.0.exe
worm.exe
User:
admin
Integrity Level:
HIGH
Description:
WormLocker2.0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\wormlocker2.0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4032takeown /f C:\Windows\System32 C:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
4132"C:\Windows\System32\OpenWith.exe" C:\Users\admin\Downloads\worm_tool.sysC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4780"C:\Users\admin\Desktop\worm.exe" C:\Users\admin\Desktop\worm.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SysWOW64
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\worm.exe
c:\windows\system32\ntdll.dll
5344"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Downloads\yorkanti.jpgC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcp_win.dll
5780"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"C:\Windows\System32\cmd.exeworm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
7 939
Read events
7 702
Write events
237
Delete events
0

Modification events

(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\wormlocker.zip
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
5
Suspicious files
13
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3620WormLocker2.0.exeC:\Users\admin\Desktop\featuresfiles.rtfbinary
MD5:F851728C8A72B2556FE33C54BA8DC93B
SHA256:AFF1671132E301E1939CE6099192C001F9234903F2418766134E7B22AEBCFED5
5872worm.exeC:\Windows\System32\WormLocker2.0.exeexecutable
MD5:311190658CB0F8CA99084AFDF13773EF
SHA256:5426C84B6FED863BC2F9DC10EABDFC1EC20E05011D12BC7402895C3A94932DCE
5872worm.exeC:\Windows\System32\LogonUIinf.exeexecutable
MD5:31618202EB911F6606405D237E098AD0
SHA256:7944285565408818FAE6F861D45D7A722F5AC630DA98FB762826F061831E46F4
5872worm.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\worm.exe.logcsv
MD5:EEC6092C22333343FADBF9EAE15F4B5A
SHA256:9E496F5183672E69423C0B4EF924F8B4376F12B6EBF7786A6C1B71B121CD2B78
5872worm.exeC:\Windows\System32\LogonUItrue.exeexecutable
MD5:067FEF16147556C78D5FE950AE199449
SHA256:4A224037F9832D0BBFF2D61289F4F9030B72EBD42DA90FB343CA94978BFD0459
3620WormLocker2.0.exeC:\Users\admin\Desktop\crossscientific.pngbinary
MD5:C323216756A11DAB1869878D24EF0E68
SHA256:80B6A0E5E224F8BBA27A3D15D8F99E4A0FAC94882FF41A9B63277E5A31A94AEE
3620WormLocker2.0.exeC:\Users\admin\Desktop\worm_tool.systext
MD5:5031E9989AE1AB3BA509B7D4220C0DDF
SHA256:954D1BB83D80BB6F6E746B28F0DE3EC4C4ED980CFE67ED23A9159CD464FF339A
3620WormLocker2.0.exeC:\Users\admin\Desktop\importantzone.pngbinary
MD5:A8EA1341CB315D023DD5409733BB5517
SHA256:1384F06FE8501BCE4BC3317550A796877D10312D781E9776DBAFE6C453EB3A40
3620WormLocker2.0.exeC:\Users\admin\Desktop\pokerclothing.jpgbinary
MD5:90C5C7172BF2460015E22B67B505917F
SHA256:8367C194D34F47AB487E21B9EF691EBCFF291DC3FD07F4454CFBB6CDB3533A9F
3620WormLocker2.0.exeC:\Users\admin\Desktop\justkitchen.jpgbinary
MD5:A7648A404268E0E40F4A6702FAC300D3
SHA256:5D64C62B5203908752E9EEA9A2195187A810E36107B52B3E81790F619D6FB1E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
17
DNS requests
10
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2440
smartscreen.exe
GET
200
208.89.74.31:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4860b3a47440b4af
unknown
whitelisted
2440
smartscreen.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1352
svchost.exe
GET
200
23.32.239.82:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
3640
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cd93d97035913c62
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?966e481a9fe01acd
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ec355da27201ae0c
unknown
whitelisted
2768
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?96d7e1e649d02ef8
unknown
whitelisted
2988
OfficeClickToRun.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1352
svchost.exe
23.32.239.16:80
Akamai International B.V.
DE
unknown
239.255.255.250:1900
whitelisted
2440
smartscreen.exe
48.209.144.71:443
checkappexec.microsoft.com
US
whitelisted
2440
smartscreen.exe
208.89.74.31:80
ctldl.windowsupdate.com
US
whitelisted
2440
smartscreen.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
3560
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3640
svchost.exe
20.190.160.65:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3640
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
5136
svchost.exe
23.197.142.186:443
fs.microsoft.com
Akamai International B.V.
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
checkappexec.microsoft.com
  • 48.209.144.71
whitelisted
ctldl.windowsupdate.com
  • 208.89.74.31
  • 208.89.74.21
  • 208.89.74.19
  • 208.89.74.27
  • 208.89.74.29
  • 208.89.74.23
  • 208.89.74.17
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.160.65
  • 20.190.160.14
  • 40.126.32.72
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.20
  • 20.190.160.2
whitelisted
fs.microsoft.com
  • 23.197.142.186
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

PID
Process
Class
Message
1352
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wormlocker.zip