URL:

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Full analysis: https://app.any.run/tasks/0134ec2f-a63b-45a1-928b-12258fffa90b
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 01:41:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
wannacry
Indicators:
MD5:

DD8CAC9E391465E102C2AA17C900C420

SHA1:

39D935CF07D8EC16BF38FEA8C9FB1AA66545CCE8

SHA256:

2F38724A2FB3328F10FA216E841328AA2DE09B48EA2CF467AA9BDDDEF851747E

SSDEEP:

3:N1KJS4niCP8NBBC3ADyKI:Cc4ryBBeT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WANNACRY was detected

      • iexplore.exe (PID: 576)
      • iexplore.exe (PID: 1952)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1952)

    • Changes internet zones settings

      • iexplore.exe (PID: 1952)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 576)

    • Creates files in the user directory

      • iexplore.exe (PID: 576)
      • iexplore.exe (PID: 1952)

    • Reads internet explorer settings

      • iexplore.exe (PID: 576)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1952)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1952)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #WANNACRY iexplore.exe #WANNACRY iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
576"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1952 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1952"C:\Program Files\Internet Explorer\iexplore.exe" http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
574
Read events
496
Write events
76
Delete events
2

Modification events

(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
1008747384
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30844546
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
13
Text files
7
Unknown types
8

Dropped files

PID
Process
Filename
Type
1952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
576iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab78B2.tmp
MD5:
SHA256:
576iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar78B3.tmp
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].htm
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\Local\Temp\CabF3AF.tmp
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\Local\Temp\TarF3B0.tmp
MD5:
SHA256:
1952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF3D0.tmp
MD5:
SHA256:
576iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_8EAD27B819DF8B4C5C4FF19A4C07EA80der
MD5:
SHA256:
576iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BDPCH2I3.txttext
MD5:
SHA256:
576iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_82315E7977AD1FD70B1072657822BA2Dder
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
23
DNS requests
12
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
576
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCECiWpPQxRDpPAgAAAAB8NWE%3D
US
der
471 b
whitelisted
576
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCECiWpPQxRDpPAgAAAAB8NWE%3D
US
der
471 b
whitelisted
1952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
576
iexplore.exe
GET
200
35.237.128.253:80
http://static.kryptoslogicsinkhole.com/style.css
US
text
11.5 Kb
whitelisted
576
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCOUTy4wn8XWggAAAAAWy8I
US
der
472 b
whitelisted
1952
iexplore.exe
GET
200
104.16.173.80:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico
US
html
349 b
malicious
1952
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
1952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
576
iexplore.exe
GET
200
104.16.173.80:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
US
html
349 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
576
iexplore.exe
104.16.173.80:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cloudflare Inc
US
shared
576
iexplore.exe
172.217.16.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
1952
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1952
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
576
iexplore.exe
35.237.128.253:80
static.kryptoslogicsinkhole.com
US
malicious
576
iexplore.exe
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
576
iexplore.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
1952
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
104.16.173.80:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cloudflare Inc
US
shared
1952
iexplore.exe
104.16.173.80:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 104.16.173.80
  • 104.17.244.81
malicious
static.kryptoslogicsinkhole.com
  • 35.237.128.253
whitelisted
fonts.googleapis.com
  • 172.217.16.170
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
crl.pki.goog
  • 172.217.16.131
whitelisted
fonts.gstatic.com
  • 172.217.16.195
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
1060
svchost.exe
A Network Trojan was detected
AV TROJAN Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)
1060
svchost.exe
A Network Trojan was detected
RANSOMWARE [PTsecurity] WannaCry
1060
svchost.exe
Misc activity
SUSPICIOUS [PTsecurity] Possible WannaCry Killswitch
576
iexplore.exe
A Network Trojan was detected
ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
1952
iexplore.exe
A Network Trojan was detected
ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com