analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Full analysis: https://app.any.run/tasks/0134ec2f-a63b-45a1-928b-12258fffa90b
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 01:41:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
wannacry
Indicators:
MD5:

DD8CAC9E391465E102C2AA17C900C420

SHA1:

39D935CF07D8EC16BF38FEA8C9FB1AA66545CCE8

SHA256:

2F38724A2FB3328F10FA216E841328AA2DE09B48EA2CF467AA9BDDDEF851747E

SSDEEP:

3:N1KJS4niCP8NBBC3ADyKI:Cc4ryBBeT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WANNACRY was detected

      • iexplore.exe (PID: 576)
      • iexplore.exe (PID: 1952)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1952)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 576)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1952)

    • Creates files in the user directory

      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 576)

    • Changes internet zones settings

      • iexplore.exe (PID: 1952)

    • Reads internet explorer settings

      • iexplore.exe (PID: 576)

    • Application launched itself

      • iexplore.exe (PID: 1952)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #WANNACRY iexplore.exe #WANNACRY iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1952"C:\Program Files\Internet Explorer\iexplore.exe" http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
576"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1952 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
574
Read events
496
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
7
Unknown types
8

Dropped files

PID
Process
Filename
Type
1952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
576iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab78B2.tmp
MD5:
SHA256:
576iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar78B3.tmp
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].htm
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\Local\Temp\CabF3AF.tmp
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\Local\Temp\TarF3B0.tmp
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF3D0.tmp
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:96E2151662555236660BCF9FA188A843
SHA256:8A7B23F9A171A2932A466C4253EC59A0D5F2A3D63A167057E6F407708002B13F
1952iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\F4ZJLTSA.txttext
MD5:40DFA0CCF40258CEB092836DE7B6F2A3
SHA256:4029CCB41AA9BE83A2DC9BB60E77FC631BFA764B89CC61888AEB6C380647D915
576iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_8EAD27B819DF8B4C5C4FF19A4C07EA80der
MD5:44687DBDCD905B99E181E51446034D84
SHA256:2CEA26E44FAA170CFBDB6BAF9BD0B7D303FA97EDC8BC53EF3CC2E9D55C766912
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
23
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
576
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCOUTy4wn8XWggAAAAAWy8I
US
der
472 b
whitelisted
1952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
576
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCECiWpPQxRDpPAgAAAAB8NWE%3D
US
der
471 b
whitelisted
576
iexplore.exe
GET
200
35.237.128.253:80
http://static.kryptoslogicsinkhole.com/style.css
US
text
11.5 Kb
whitelisted
1952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
576
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCECiWpPQxRDpPAgAAAAB8NWE%3D
US
der
471 b
whitelisted
576
iexplore.exe
GET
200
104.16.173.80:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
US
html
349 b
whitelisted
1952
iexplore.exe
GET
200
104.16.173.80:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico
US
html
349 b
whitelisted
1952
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1952
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
576
iexplore.exe
172.217.16.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
1952
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
576
iexplore.exe
35.237.128.253:80
static.kryptoslogicsinkhole.com
US
malicious
576
iexplore.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
576
iexplore.exe
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1952
iexplore.exe
104.16.173.80:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cloudflare Inc
US
shared
1952
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
104.16.173.80:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cloudflare Inc
US
shared
576
iexplore.exe
104.16.173.80:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 104.16.173.80
  • 104.17.244.81
whitelisted
static.kryptoslogicsinkhole.com
  • 35.237.128.253
whitelisted
fonts.googleapis.com
  • 172.217.16.170
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
crl.pki.goog
  • 172.217.16.131
whitelisted
fonts.gstatic.com
  • 172.217.16.195
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
AV TROJAN Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)
A Network Trojan was detected
RANSOMWARE [PTsecurity] WannaCry
Misc activity
SUSPICIOUS [PTsecurity] Possible WannaCry Killswitch
576
iexplore.exe
A Network Trojan was detected
ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
1952
iexplore.exe
A Network Trojan was detected
ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com