analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

list copy.crypto.zip

Full analysis: https://app.any.run/tasks/04aaf85e-6df7-4fea-8c8f-59f863078b54
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 29, 2020, 23:44:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
ransomware
wannacry
wannacryptor
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

17CE0C03BEB5BEE578613D4E461F4C27

SHA1:

21168E77C2BC69C42229D8B0E97A0C57503AE784

SHA256:

26EFAF9E720540E81D52D0A7FD847808EC9641A2D8C946D5F8129CD103DD192B

SSDEEP:

1536:whohAF8fiC60Rrpm82C79J1wv1+LQl8vNuv0UJBU:goeF8Esbuv8EGvNuvvrU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 812)
      • SearchProtocolHost.exe (PID: 3356)
      • wannacry.exe (PID: 2900)

    • Downloads executable files from the Internet

      • chrome.exe (PID: 2612)

    • Application was dropped or rewritten from another process

    • Writes file to Word startup folder

      • wannacry.exe (PID: 2900)

    • WannaCry Ransomware was detected

      • wannacry.exe (PID: 2900)
      • cmd.exe (PID: 2064)

    • Loads dropped or rewritten executable

      • taskhsvc.exe (PID: 2712)
      • SearchProtocolHost.exe (PID: 3356)

    • Modifies files in Chrome extension folder

      • wannacry.exe (PID: 2900)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 1456)

    • Deletes shadow copies

      • cmd.exe (PID: 1456)

    • Changes the autorun value in the registry

      • reg.exe (PID: 4032)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 200)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 812)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2864)
      • chrome.exe (PID: 2612)
      • wannacry.exe (PID: 2900)
      • @[email protected] (PID: 2236)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2864)

    • Uses ICACLS.EXE to modify access control list

      • wannacry.exe (PID: 2900)

    • Starts CMD.EXE for commands execution

    • Uses ATTRIB.EXE to modify file attributes

      • wannacry.exe (PID: 2900)

    • Creates files like Ransomware instruction

      • wannacry.exe (PID: 2900)

    • Creates files in the program directory

      • wannacry.exe (PID: 2900)

    • Creates files in the user directory

      • taskhsvc.exe (PID: 2712)
      • wannacry.exe (PID: 2900)

    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 200)
      • vds.exe (PID: 1916)

    • Creates files in the Windows directory

      • wbadmin.exe (PID: 2784)

    • Executed as Windows Service

      • wbengine.exe (PID: 200)
      • vssvc.exe (PID: 1348)
      • vds.exe (PID: 1916)

    • Executed via COM

      • vdsldr.exe (PID: 3212)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3580)

  • INFO

    • Manual execution by user

      • chrome.exe (PID: 2864)
      • wannacry.exe (PID: 2900)

    • Reads the hosts file

      • chrome.exe (PID: 2612)
      • chrome.exe (PID: 2864)

    • Dropped object may contain Bitcoin addresses

      • chrome.exe (PID: 2864)
      • wannacry.exe (PID: 2900)
      • taskhsvc.exe (PID: 2712)

    • Application launched itself

      • chrome.exe (PID: 2864)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2864)

    • Dropped object may contain TOR URL's

      • wannacry.exe (PID: 2900)

    • Dropped object may contain URL to Tor Browser

      • wannacry.exe (PID: 2900)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: list copy.crypto
ZipUncompressedSize: 54435
ZipCompressedSize: 54435
ZipCRC: 0x7eea9ed1
ZipModifyDate: 2020:05:29 22:53:06
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 778
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
77
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe rundll32.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #WANNACRY wannacry.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs @[email protected] #WANNACRY cmd.exe no specs @[email protected] no specs taskhsvc.exe searchprotocolhost.exe cmd.exe vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs taskdl.exe no specs @[email protected] no specs cmd.exe no specs reg.exe taskdl.exe no specs @[email protected] no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskdl.exe no specs @[email protected] no specs taskdl.exe no specs @[email protected] no specs taskdl.exe no specs @[email protected] no specs

Process information

PID
CMD
Path
Indicators
Parent process
812"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\list copy.crypto.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
532"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa812.24500\list copy.cryptoC:\Windows\system32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2864"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
4016"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6eada9d0,0x6eada9e0,0x6eada9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3040"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2964 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1656"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,10966589326713460850,17946587711697229303,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=8845252652324073733 --mojo-platform-channel-handle=992 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2612"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,10966589326713460850,17946587711697229303,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=9450714027520126925 --mojo-platform-channel-handle=1548 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2388"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,10966589326713460850,17946587711697229303,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5195234348311390865 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2152"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,10966589326713460850,17946587711697229303,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8779936056734888771 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2980"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,10966589326713460850,17946587711697229303,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1218241627744692750 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 965
Read events
2 669
Write events
0
Delete events
0

Modification events

No data
Executable files
22
Suspicious files
638
Text files
762
Unknown types
24

Dropped files

PID
Process
Filename
Type
812WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa812.24941\list copy.crypto
MD5:
SHA256:
2864chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5ED19E95-B30.pma
MD5:
SHA256:
2864chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old
MD5:
SHA256:
2864chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RFaa5e4.TMP
MD5:
SHA256:
2864chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
2864chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
2864chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:F69C20D5B552B8D973FB1CBA5FDD7D87
SHA256:48799968D50E2D74E625A0AB18E93C6792AF20010334C6BB4E935C8D26F7026A
812WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa812.24500\list copy.cryptobinary
MD5:693A9B8C653158B70B8C23DFADBF3ABD
SHA256:60A3580CE5C80D87B09054C60EF62697B9C4DD8AC84A7151B8A2F7F357B9A54F
2864chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFaa538.TMPtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
2864chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFaa538.TMPtext
MD5:F69C20D5B552B8D973FB1CBA5FDD7D87
SHA256:48799968D50E2D74E625A0AB18E93C6792AF20010334C6BB4E935C8D26F7026A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
89
DNS requests
57
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2612
chrome.exe
GET
302
172.217.18.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
519 b
whitelisted
2612
chrome.exe
GET
200
172.217.23.162:80
http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
US
text
38.3 Kb
whitelisted
2612
chrome.exe
GET
200
176.9.61.4:80
http://originaldll.com/file/wannacry.exe/41397.html
DE
html
3.65 Kb
whitelisted
2612
chrome.exe
GET
200
88.212.201.198:80
http://counter.yadro.ru/hit?q;t21.2;rhttps%3A//www.google.co.uk/;s1280*720*24;uhttp%3A//originaldll.com/file/wannacry.exe/41397.html;0.7668068300616073
RU
image
1.28 Kb
whitelisted
2612
chrome.exe
GET
200
74.125.4.203:80
http://r5---sn-aigzrner.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=QJ&mip=185.192.69.26&mm=28&mn=sn-aigzrner&ms=nvh&mt=1590795542&mv=u&mvi=4&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
2612
chrome.exe
GET
301
104.31.85.66:80
http://www.anonfile.com/
US
suspicious
2612
chrome.exe
GET
302
172.217.18.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjY5QUFXTEQwc2RPVXhRY3picjhxblh1dw/7619.603.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
524 b
whitelisted
2612
chrome.exe
GET
200
88.212.201.198:80
http://counter.yadro.ru/hit?q;t21.2;rhttp%3A//originaldll.com/file/wannacry.exe/41397.html;s1280*720*24;uhttp%3A//originaldll.com/download/41397.exe;0.6930063006857359
RU
image
1.28 Kb
whitelisted
2612
chrome.exe
GET
302
88.212.201.198:80
http://counter.yadro.ru/hit?t21.2;rhttp%3A//originaldll.com/file/wannacry.exe/41397.html;s1280*720*24;uhttp%3A//originaldll.com/download/41397.exe;0.6930063006857359
RU
html
32 b
whitelisted
2612
chrome.exe
GET
200
173.194.135.103:80
http://r2---sn-aigzrn7z.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjY5QUFXTEQwc2RPVXhRY3picjhxblh1dw/7619.603.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=Qx&mip=185.192.69.26&mm=28&mn=sn-aigzrn7z&ms=nvh&mt=1590795542&mv=u&mvi=1&pl=24&shardbypass=yes
US
crx
816 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2612
chrome.exe
216.58.206.3:443
www.gstatic.com
Google Inc.
US
whitelisted
2612
chrome.exe
172.217.16.173:443
accounts.google.com
Google Inc.
US
whitelisted
2612
chrome.exe
216.58.212.174:443
ogs.google.com.ua
Google Inc.
US
whitelisted
2612
chrome.exe
216.58.208.35:443
www.google.co.uk
Google Inc.
US
whitelisted
2612
chrome.exe
172.217.22.14:443
clients2.google.com
Google Inc.
US
whitelisted
2612
chrome.exe
172.217.22.3:443
www.google.com.ua
Google Inc.
US
whitelisted
2612
chrome.exe
172.217.23.110:443
apis.google.com
Google Inc.
US
whitelisted
2612
chrome.exe
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2612
chrome.exe
172.217.16.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2612
chrome.exe
216.58.207.36:443
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.16.195
whitelisted
accounts.google.com
  • 172.217.16.173
shared
www.google.com.ua
  • 172.217.22.3
whitelisted
fonts.googleapis.com
  • 172.217.16.170
whitelisted
www.gstatic.com
  • 216.58.206.3
whitelisted
fonts.gstatic.com
  • 172.217.16.195
whitelisted
apis.google.com
  • 172.217.23.110
whitelisted
ogs.google.com.ua
  • 216.58.212.174
whitelisted
www.google.com
  • 216.58.207.36
whitelisted
www.google.co.uk
  • 216.58.208.35
whitelisted

Threats

PID
Process
Class
Message
2612
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2612
chrome.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2712
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 229
2712
taskhsvc.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2712
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 537
2712
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241
2712
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 323
2712
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
list copy.crypto.zip