File name:

wire

Full analysis: https://app.any.run/tasks/a136bb2f-74fb-4680-8c7c-743265475ee5
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 25, 2024, 12:41:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

7A436B28612E1F1664B898CE6ECE6730

SHA1:

8264CE2DAE35222364AED16B5EB58F87D42AA648

SHA256:

1E36357EEA9581DD457001567C62B54955A065CBAC3580F909AF067E2CE2364D

SSDEEP:

98304:K6Mhn6U0C74ZdJqJEPRLGph8ZKy8BF7995RL8I2ldvnBmQnJnHemnqDDqfJ267GE:VHVcILOdVhiB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • wire.exe (PID: 2568)

    • Drops the executable file immediately after the start

      • wire.exe (PID: 2568)

    • Actions looks like stealing of personal data

      • wire.exe (PID: 2568)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • wire.exe (PID: 2568)

  • INFO

    • Checks supported languages

      • wire.exe (PID: 2568)
      • wmpnscfg.exe (PID: 2100)

    • Dropped object may contain TOR URL's

      • wire.exe (PID: 2568)

    • Reads the machine GUID from the registry

      • wire.exe (PID: 2568)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2100)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:25 13:40:50+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 25600
InitializedDataSize: 8704
UninitializedDataSize: -
EntryPoint: 0x32f317
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wire.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2100"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2568"C:\Users\admin\Desktop\wire.exe" C:\Users\admin\Desktop\wire.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\wire.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
Total events
9 953
Read events
9 953
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1 245
Text files
6
Unknown types
12

Dropped files

PID
Process
Filename
Type
2568wire.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\profile_count_308046B0AF4A39CB.json.pbinary
MD5:702F2798633C4C1A0777C0F4DE5F17DD
SHA256:87DB9C5DB926214146D587BCD1B1FAB9DF7B4AFCE3C75BC8D10D368B84E0C519
2568wire.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CB.pbinary
MD5:02DB51476E1541A995D7B557231ACDE1
SHA256:E820A9A258BCD8397D0367C86D6F69A66C372EB17FCEEDF38D4A2809017D3139
2568wire.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\profile_count_308046B0AF4A39CB.jsonbinary
MD5:702F2798633C4C1A0777C0F4DE5F17DD
SHA256:87DB9C5DB926214146D587BCD1B1FAB9DF7B4AFCE3C75BC8D10D368B84E0C519
2568wire.exeC:\Windows\Temp\af397ef28e484961ba48646a5d38cf54.db.ses.pbinary
MD5:8EE6BDF4A1B82C59422D84A6C1846DCD
SHA256:5F5E59364A2D1608D52422126BCFDB5D568D7BA79F1F0CDC736C63A0508524BA
2568wire.exeC:\Windows\Temp\af397ef28e484961ba48646a5d38cf54.db.sesbinary
MD5:8EE6BDF4A1B82C59422D84A6C1846DCD
SHA256:5F5E59364A2D1608D52422126BCFDB5D568D7BA79F1F0CDC736C63A0508524BA
2568wire.exeC:\Windows\System32\curl.exebinary
MD5:19C5846D10D9932D78EFE4EAAC41CEA9
SHA256:785A7C63755CA3FB028D0A7001413D12D3B3ACF4B7FF5D6643218A6CE0FBCD95
2568wire.exeC:\Windows\System32\curl-ca-bundle.crtbinary
MD5:78C6163710A7904EA77F959D8657A5AE
SHA256:B627CBBEF57EDFFC1D0F914F1B4B4269FCB1AAD22685326E131F7005034FC9E4
2568wire.exeC:\Windows\Temp\DMI1DA9.tmpbinary
MD5:9C7FB5C807A47DF172EAB9845C3CD44F
SHA256:0ED8B5DB32D3FA6C5184A8B07BFBB6383469F15D86437A003520C04AE257FEDE
2568wire.exeC:\Windows\Temp\DMI1DA9.tmp.pbinary
MD5:9C7FB5C807A47DF172EAB9845C3CD44F
SHA256:0ED8B5DB32D3FA6C5184A8B07BFBB6383469F15D86437A003520C04AE257FEDE
2568wire.exeC:\Users\admin\ntuser.ini.pbinary
MD5:6160C55B27F13DAA20CA55F7017111AA
SHA256:3996C78AB95EE7D0D258FD3627725CEFBE787AFABDB9BC8456FA2939853E80A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info