File name:

EternalBlue.exe

Full analysis: https://app.any.run/tasks/9a17d316-ffd3-4fbc-8d32-e6c0a80a9f6a
Verdict: Malicious activity
Analysis date: May 27, 2024, 08:52:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

D8DE3742220386DD5DB15E9407E70CCC

SHA1:

77290344EE77F1F9F5F66B4C4D96EB2189F64867

SHA256:

21CC36E60E661613F0C05E73B9496BF2D456931686B0693112842D91D7E64E78

SSDEEP:

49152:Xw3jPfNCp4ze2jx7xfGmWWox8SlTrMuK+edTxxty/UsrVEn9iWJgJ9p1x0HcvcVR:XU9xxuhWox5vxK+exNzuVEEAgTp1Ocvm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • EternalBlue.exe (PID: 3984)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • EternalBlue.exe (PID: 3984)

    • Reads security settings of Internet Explorer

      • EternalBlue.exe (PID: 3984)

    • Reads the Internet Settings

      • EternalBlue.exe (PID: 3984)

    • Reads Microsoft Outlook installation path

      • EternalBlue.exe (PID: 3984)

    • Checks Windows Trust Settings

      • EternalBlue.exe (PID: 3984)

    • Reads Internet Explorer settings

      • EternalBlue.exe (PID: 3984)

  • INFO

    • Reads the computer name

      • EternalBlue.exe (PID: 3984)
      • wmpnscfg.exe (PID: 4060)

    • Checks supported languages

      • EternalBlue.exe (PID: 3984)
      • wmpnscfg.exe (PID: 4060)

    • Disables trace logs

      • EternalBlue.exe (PID: 3984)

    • Reads Environment values

      • EternalBlue.exe (PID: 3984)

    • Reads the software policy settings

      • EternalBlue.exe (PID: 3984)

    • Reads the machine GUID from the registry

      • EternalBlue.exe (PID: 3984)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4060)

    • Checks proxy server information

      • EternalBlue.exe (PID: 3984)

    • Create files in a temporary directory

      • EternalBlue.exe (PID: 3984)

    • Creates files or folders in the user directory

      • EternalBlue.exe (PID: 3984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:10 14:54:59+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 1459712
InitializedDataSize: 47616
UninitializedDataSize: -
EntryPoint: 0x16644e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.8
ProductVersionNumber: 0.0.0.8
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Elad Erez
FileDescription: EternalBlues
FileVersion: 0.0.0.8
InternalName: EternalBlues.exe
LegalCopyright: Copyright © Elad Erez
LegalTrademarks: -
OriginalFileName: EternalBlues.exe
ProductName: Eternal Blues
ProductVersion: 0.0.0.8
AssemblyVersion: 0.0.0.8
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start eternalblue.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3984"C:\Users\admin\AppData\Local\Temp\EternalBlue.exe" C:\Users\admin\AppData\Local\Temp\EternalBlue.exe
explorer.exe
User:
admin
Company:
Elad Erez
Integrity Level:
MEDIUM
Description:
EternalBlues
Version:
0.0.0.8
Modules
Images
c:\users\admin\appdata\local\temp\eternalblue.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4060"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
10 022
Read events
9 970
Write events
46
Delete events
6

Modification events

(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3984) EternalBlue.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EternalBlue_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
0
Suspicious files
24
Text files
45
Unknown types
4

Dropped files

PID
Process
Filename
Type
3984EternalBlue.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:8202A1CD02E7D69597995CABBE881A12
SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5
3984EternalBlue.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464binary
MD5:4C3F5AEF424EAD0CA4DE6EE363AD4DC9
SHA256:DC4A5FCFDC6215CA19E71FB055B15FDA2A8CBC536110C4F4D20C2FF2ABDD7FD8
3984EternalBlue.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\3FKIQECJ.txttext
MD5:2B9B6736B91C0FCFC9983F9F145D529E
SHA256:5E60C6FA853AF9FB07BC4C523D4C4A49E1563E9D6D58B0B0F2B6E64E33A9ACBD
3984EternalBlue.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:C4658E249840259D0D34307CB9DF41CA
SHA256:43B7C3504126B8E91A922FDB83CB0F34B23B67C982EF3709B61E2333B2672F74
3984EternalBlue.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:3964DAFEBA7233B7C2360DC06311160E
SHA256:7E0F95A388374BE3245B725E81076C3453DCA2FFE7001A235AE6EE7480702025
3984EternalBlue.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\script[1].jstext
MD5:BFC517188E31C284E6F920185EF9581F
SHA256:2CB9E929560926259750C4D840710FBF0A7D2C8DA9A9A886EE478BC362829E7E
3984EternalBlue.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:D2D68945FB91626B3374708F8BA38FBC
SHA256:F55B96F9480DBF7D638CD544235731E5A9FB230937C455431BAC1FFDDC96A932
3984EternalBlue.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:80F43CF60B6FC831CDAB0DBEE99014E0
SHA256:ADCF19C7B5370BDE75D171BB1F2DAC870D99F8670A073A8416F3FEB81B1CFDDB
3984EternalBlue.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\hd-style[1].csstext
MD5:E6BECE7897F67C0DD9542C90BB582D99
SHA256:D2673334CC6DB9E20B9CEA18BCE2685CEB107C31CCAC7D3B8FABA2FB10B9210E
3984EternalBlue.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\hd-style-print[1].csstext
MD5:7878FDA89F8E725FA06880D1890F9C00
SHA256:6D17B244F2B4B8A93886DBE5CFFAD1CBE8FC9079495FB972A10FAC1EDA0A16CE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
35
DNS requests
23
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3984
EternalBlue.exe
GET
302
3.130.204.160:80
http://omerez.com/repository/eternalblues-version.txt
unknown
unknown
3984
EternalBlue.exe
GET
302
3.130.204.160:80
http://omerez.com/repository/pages/eternalblues-report.html?id=1297319125&startScan=256&version=0.0.0.8
unknown
unknown
3984
EternalBlue.exe
GET
304
213.155.157.168:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e948317888637db8
unknown
unknown
3984
EternalBlue.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
unknown
3984
EternalBlue.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
3984
EternalBlue.exe
GET
200
142.250.181.227:80
http://c.pki.goog/r/r1.crl
unknown
unknown
3984
EternalBlue.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEH6HwqMlsnS7%2BryQ1sUoZV4%3D
unknown
unknown
3984
EternalBlue.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
unknown
3984
EternalBlue.exe
GET
200
142.250.181.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD52znXgmjnXwogfY0LOz7q
unknown
unknown
3984
EternalBlue.exe
GET
200
142.250.181.227:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDcoc6fqZ4zlBD%2FfhdqltwL
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3984
EternalBlue.exe
3.130.204.160:80
omerez.com
AMAZON-02
US
unknown
3984
EternalBlue.exe
172.67.70.191:443
www.hugedomains.com
CLOUDFLARENET
US
unknown
3984
EternalBlue.exe
192.168.100.2:445
whitelisted
3984
EternalBlue.exe
192.168.100.4:445
unknown
3984
EternalBlue.exe
192.168.100.1:445
unknown
4
System
192.168.100.255:138
whitelisted
3984
EternalBlue.exe
213.155.157.168:80
ctldl.windowsupdate.com
Telia Company AB
SE
unknown
3984
EternalBlue.exe
142.250.181.227:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3984
EternalBlue.exe
142.250.184.202:443
fonts.googleapis.com
GOOGLE
US
whitelisted
3984
EternalBlue.exe
172.67.20.8:443
cdn-cookieyes.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
omerez.com
  • 3.130.204.160
  • 3.130.253.23
unknown
www.hugedomains.com
  • 172.67.70.191
  • 104.26.7.37
  • 104.26.6.37
whitelisted
ctldl.windowsupdate.com
  • 213.155.157.168
  • 213.155.157.155
whitelisted
ocsp.pki.goog
  • 142.250.181.227
whitelisted
use.typekit.net
  • 213.155.157.27
  • 213.155.157.65
whitelisted
static.hugedomains.com
  • 172.67.70.191
  • 104.26.7.37
  • 104.26.6.37
unknown
fonts.googleapis.com
  • 142.250.184.202
whitelisted
cdn-cookieyes.com
  • 172.67.20.8
  • 104.22.59.91
  • 104.22.58.91
whitelisted
cdn.jsdelivr.net
  • 151.101.193.229
  • 151.101.129.229
  • 151.101.1.229
  • 151.101.65.229
whitelisted
www.googletagmanager.com
  • 142.250.185.200
whitelisted

Threats

PID
Process
Class
Message
3984
EternalBlue.exe
Not Suspicious Traffic
INFO [ANY.RUN] A free CDN for open source projects (jsdelivr .net)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EternalBlue.exe