File name:

wire

Full analysis: https://app.any.run/tasks/a136bb2f-74fb-4680-8c7c-743265475ee5
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 25, 2024, 12:41:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

7A436B28612E1F1664B898CE6ECE6730

SHA1:

8264CE2DAE35222364AED16B5EB58F87D42AA648

SHA256:

1E36357EEA9581DD457001567C62B54955A065CBAC3580F909AF067E2CE2364D

SSDEEP:

98304:K6Mhn6U0C74ZdJqJEPRLGph8ZKy8BF7995RL8I2ldvnBmQnJnHemnqDDqfJ267GE:VHVcILOdVhiB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • wire.exe (PID: 2568)

    • Actions looks like stealing of personal data

      • wire.exe (PID: 2568)

    • Drops the executable file immediately after the start

      • wire.exe (PID: 2568)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • wire.exe (PID: 2568)

  • INFO

    • Dropped object may contain TOR URL's

      • wire.exe (PID: 2568)

    • Checks supported languages

      • wire.exe (PID: 2568)
      • wmpnscfg.exe (PID: 2100)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2100)

    • Reads the machine GUID from the registry

      • wire.exe (PID: 2568)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:25 13:40:50+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 25600
InitializedDataSize: 8704
UninitializedDataSize: -
EntryPoint: 0x32f317
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wire.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2100"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2568"C:\Users\admin\Desktop\wire.exe" C:\Users\admin\Desktop\wire.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\wire.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
Total events
9 953
Read events
9 953
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1 245
Text files
6
Unknown types
12

Dropped files

PID
Process
Filename
Type
2568wire.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\profile_count_308046B0AF4A39CB.json.pbinary
MD5:702F2798633C4C1A0777C0F4DE5F17DD
SHA256:87DB9C5DB926214146D587BCD1B1FAB9DF7B4AFCE3C75BC8D10D368B84E0C519
2568wire.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\profile_count_308046B0AF4A39CB.jsonbinary
MD5:702F2798633C4C1A0777C0F4DE5F17DD
SHA256:87DB9C5DB926214146D587BCD1B1FAB9DF7B4AFCE3C75BC8D10D368B84E0C519
2568wire.exeC:\Users\admin\ntuser.inibinary
MD5:6160C55B27F13DAA20CA55F7017111AA
SHA256:3996C78AB95EE7D0D258FD3627725CEFBE787AFABDB9BC8456FA2939853E80A4
2568wire.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CB.pbinary
MD5:02DB51476E1541A995D7B557231ACDE1
SHA256:E820A9A258BCD8397D0367C86D6F69A66C372EB17FCEEDF38D4A2809017D3139
2568wire.exeC:\Users\admin\ntuser.ini.pbinary
MD5:6160C55B27F13DAA20CA55F7017111AA
SHA256:3996C78AB95EE7D0D258FD3627725CEFBE787AFABDB9BC8456FA2939853E80A4
2568wire.exeC:\Users\Public\desktop.ini.pbinary
MD5:13E6AD078335C9AC3D21DD88F2625BC6
SHA256:FA4D699683071C16F63800AB160C3E0F7420BC3F032370684A38C83BBB70E34F
2568wire.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CBbinary
MD5:02DB51476E1541A995D7B557231ACDE1
SHA256:E820A9A258BCD8397D0367C86D6F69A66C372EB17FCEEDF38D4A2809017D3139
2568wire.exeC:\Windows\Cursors\clearcur.curbinary
MD5:576C73BD3EDC307DB240AFC9D383F418
SHA256:04345AD8233D9EE63308B05DB46C268E902DD93251EAE39030472124FEEE8AA1
2568wire.exeC:\Users\Public\desktop.inibinary
MD5:13E6AD078335C9AC3D21DD88F2625BC6
SHA256:FA4D699683071C16F63800AB160C3E0F7420BC3F032370684A38C83BBB70E34F
2568wire.exeC:\Windows\System32\curl-ca-bundle.crtbinary
MD5:78C6163710A7904EA77F959D8657A5AE
SHA256:B627CBBEF57EDFFC1D0F914F1B4B4269FCB1AAD22685326E131F7005034FC9E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info