analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://re75.info/share/

Full analysis: https://app.any.run/tasks/d0b0be7b-ad34-412a-a375-6cec482ccade
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 12:46:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
ransomware
wannacry
wannacryptor
Indicators:
MD5:

C41A86EA38F78D4CA4064CD6632F136D

SHA1:

791B8F1DCDFD7582113E46F8D0C37639786381D7

SHA256:

230DF5E811E4AE684A047098F0E00CE767988463FAB8082BB3E9BC9A0D55EC19

SSDEEP:

3:N1KMg46K3n:CMgTK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3436)

    • Writes file to Word startup folder

      • wn.exe (PID: 1504)

    • WannaCry Ransomware was detected

      • wn.exe (PID: 1504)
      • cmd.exe (PID: 1908)

    • Modifies files in Chrome extension folder

      • wn.exe (PID: 1504)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3708)
      • taskhsvc.exe (PID: 3636)

    • Deletes shadow copies

      • cmd.exe (PID: 4068)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 4068)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 1268)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2340)
      • jig[1].exe (PID: 592)

    • Actions looks like stealing of personal data

      • wn.exe (PID: 1504)
      • drpbx.exe (PID: 1516)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3436)
      • iexplore.exe (PID: 992)
      • wn.exe (PID: 1504)
      • @[email protected] (PID: 408)
      • jig[1].exe (PID: 592)
      • WinRAR.exe (PID: 3552)

    • Uses ICACLS.EXE to modify access control list

      • wn.exe (PID: 1504)

    • Uses ATTRIB.EXE to modify file attributes

      • wn.exe (PID: 1504)

    • Creates files like Ransomware instruction

      • wn.exe (PID: 1504)
      • drpbx.exe (PID: 1516)

    • Starts CMD.EXE for commands execution

    • Creates files in the program directory

      • wn.exe (PID: 1504)
      • drpbx.exe (PID: 1516)

    • Executed as Windows Service

      • vssvc.exe (PID: 3752)
      • vds.exe (PID: 584)
      • wbengine.exe (PID: 1268)

    • Creates files in the user directory

      • taskhsvc.exe (PID: 3636)
      • wn.exe (PID: 1504)
      • jig[1].exe (PID: 592)
      • WinRAR.exe (PID: 3552)
      • drpbx.exe (PID: 1516)

    • Creates files in the Windows directory

      • wbadmin.exe (PID: 2976)

    • Low-level read access rights to disk partition

      • vds.exe (PID: 584)
      • wbengine.exe (PID: 1268)

    • Executed via COM

      • vdsldr.exe (PID: 2884)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3532)

    • Starts itself from another location

      • jig[1].exe (PID: 592)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 992)

    • Changes internet zones settings

      • iexplore.exe (PID: 992)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 992)
      • iexplore.exe (PID: 3436)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3436)

    • Dropped object may contain TOR URL's

      • wn.exe (PID: 1504)

    • Dropped object may contain URL to Tor Browser

      • wn.exe (PID: 1504)

    • Dropped object may contain Bitcoin addresses

      • wn.exe (PID: 1504)
      • drpbx.exe (PID: 1516)
      • taskhsvc.exe (PID: 3636)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
93
Monitored processes
39
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe #WANNACRY wn.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs @[email protected] #WANNACRY cmd.exe no specs @[email protected] no specs taskhsvc.exe searchprotocolhost.exe no specs cmd.exe vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs taskdl.exe no specs @[email protected] no specs cmd.exe no specs reg.exe taskdl.exe no specs @[email protected] no specs taskdl.exe no specs @[email protected] no specs jig[1].exe drpbx.exe taskdl.exe no specs @[email protected] no specs winrar.exe taskdl.exe no specs @[email protected] no specs @[email protected] no specs taskdl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
992"C:\Program Files\Internet Explorer\iexplore.exe" "http://re75.info/share/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3436"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:992 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1504"C:\Users\admin\Desktop\wn.exe" C:\Users\admin\Desktop\wn.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DiskPart
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3820attrib +h .C:\Windows\system32\attrib.exewn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3900icacls . /grant Everyone:F /T /C /QC:\Windows\system32\icacls.exewn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2796taskdl.exeC:\Users\admin\Desktop\taskdl.exewn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2636cmd /c 62901575636482.batC:\Windows\system32\cmd.exewn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
408@[email protected] coC:\Users\admin\Desktop\@[email protected]
wn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Load PerfMon Counters
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1908cmd.exe /c start /b @[email protected] vsC:\Windows\system32\cmd.exe
wn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2668@[email protected] vsC:\Users\admin\Desktop\@[email protected]cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Load PerfMon Counters
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 461
Read events
2 222
Write events
0
Delete events
0

Modification events

No data
Executable files
25
Suspicious files
632
Text files
514
Unknown types
21

Dropped files

PID
Process
Filename
Type
992iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
992iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KOKD76TV\share[1].txt
MD5:
SHA256:
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:A6796A9C2ED9D5977A654E3B2D7959A6
SHA256:FE45FF5D591EEB1ED08A38F5E4D116B2D56CA73A7599C84849A271AB51BDFA45
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KOKD76TV\share[1].htmhtml
MD5:3A3673599B33AECD862AA97687908F23
SHA256:F256157EC271D3E416564B4FA4F35DCEE9FE84B13795989BB1662073242D3519
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:F46392F6E71E70D34D86E5300787ED27
SHA256:5DA318B32ED38212847F74C29830A40E9A02A1FA3CB97D03B594233FFD6A9B7A
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:E27106371A2A0D3235C8B830DC4F04F7
SHA256:D01CE014CE9C0D68700962D7736AF56AD29A57D1213DD8F4D23C26097CC578B4
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YNGJP2MJ\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q1VNBDV6\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q1VNBDV6\folder[1].gifimage
MD5:D342CBA375FEA336967317BDB5D7CF19
SHA256:FBE5ECA717CFBCB58891D431F9AFAF30AA740D9FCE007E820A599F22AFA0DEE2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3436
iexplore.exe
GET
153.126.158.65:80
http://re75.info/share/wn.exe
JP
malicious
3436
iexplore.exe
GET
200
153.126.158.65:80
http://re75.info/icons/blank.gif
JP
image
148 b
malicious
3436
iexplore.exe
GET
200
153.126.158.65:80
http://re75.info/share/mal.zip
JP
compressed
4.19 Mb
malicious
3436
iexplore.exe
GET
200
153.126.158.65:80
http://re75.info/share/
JP
html
3.85 Kb
malicious
992
iexplore.exe
GET
404
153.126.158.65:80
http://re75.info/favicon.ico
JP
html
283 b
malicious
3436
iexplore.exe
GET
200
153.126.158.65:80
http://re75.info/icons/compressed.gif
JP
image
1.01 Kb
malicious
3436
iexplore.exe
GET
200
153.126.158.65:80
http://re75.info/icons/sound2.gif
JP
image
221 b
malicious
3436
iexplore.exe
GET
200
153.126.158.65:80
http://re75.info/share/jig.exe
JP
executable
283 Kb
malicious
3436
iexplore.exe
GET
200
153.126.158.65:80
http://re75.info/icons/a.gif
JP
image
246 b
malicious
3436
iexplore.exe
GET
200
153.126.158.65:80
http://re75.info/icons/back.gif
JP
image
216 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3636
taskhsvc.exe
51.75.144.233:443
GB
suspicious
992
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3636
taskhsvc.exe
31.31.78.49:443
WEDOS Internet, a.s.
CZ
suspicious
3636
taskhsvc.exe
51.15.189.209:9001
Online S.a.s.
FR
malicious
3636
taskhsvc.exe
163.172.25.118:22
Online S.a.s.
FR
suspicious
3636
taskhsvc.exe
195.154.165.64:8443
Online S.a.s.
FR
suspicious
3436
iexplore.exe
153.126.158.65:80
re75.info
SAKURA Internet Inc.
JP
malicious
3636
taskhsvc.exe
193.23.244.244:443
Chaos Computer Club e.V.
DE
malicious
992
iexplore.exe
153.126.158.65:80
re75.info
SAKURA Internet Inc.
JP
malicious

DNS requests

Domain
IP
Reputation
re75.info
  • 153.126.158.65
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
shared

Threats

PID
Process
Class
Message
3436
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3436
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3436
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3636
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218
3636
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 100
3636
taskhsvc.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3636
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3636
taskhsvc.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3436
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3636
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 489
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://re75.info/share/