File name:

WannaCry.exe

Full analysis: https://app.any.run/tasks/a9c43107-a43c-4341-b58c-872dca1a987a
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: September 08, 2024, 12:28:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sinkhole
ransomware
wannacry
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

DB80F5F849C902B146AFA7C375A4B2A5

SHA1:

5B8844EFB368DED70B991178350C91DDDD28E448

SHA256:

6C8AF938C7796EB36C829B0D600117F2E99065E660A7C2936A7A5387C7488A8D

SSDEEP:

49152:CImBlTyQV7JYHwD8BszxFKTUHDrBpqhNLE7HmF3T8YfFsVIYYx9m3vXxXNVulb8x:CbsB9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WANNACRY has been detected (SURICATA)

      • svchost.exe (PID: 2256)
      • WannaCry.exe (PID: 6960)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • WannaCry.exe (PID: 6960)

    • Reads Environment values

      • WannaCry.exe (PID: 6960)

    • Create files in a temporary directory

      • WannaCry.exe (PID: 6960)

    • Checks proxy server information

      • WannaCry.exe (PID: 6960)

    • Reads the computer name

      • WannaCry.exe (PID: 6960)

    • Reads the machine GUID from the registry

      • WannaCry.exe (PID: 6960)

    • Disables trace logs

      • WannaCry.exe (PID: 6960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2039:10:07 19:29:46+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 2635776
InitializedDataSize: 435200
UninitializedDataSize: -
EntryPoint: 0x2857de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: WannaCrydemo
FileVersion: 1.0.0.0
InternalName: WannaCrydemo.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFileName: WannaCrydemo.exe
ProductName: WannaCrydemo
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #WANNACRY wannacry.exe #WANNACRY svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6960"C:\Users\admin\AppData\Local\Temp\WannaCry.exe" C:\Users\admin\AppData\Local\Temp\WannaCry.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WannaCrydemo
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\wannacry.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
907
Read events
893
Write events
14
Delete events
0

Modification events

(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6960) WannaCry.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WannaCry_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
18
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1068.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1108.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1120.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1132.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1136.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1148.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1176.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1184.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1468.log.WNCRY
MD5:
SHA256:
6960WannaCry.exeC:\Users\admin\AppData\Local\Temp\aria-debug-1480.log.WNCRY
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
38
DNS requests
16
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6960
WannaCry.exe
GET
200
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
whitelisted
6516
svchost.exe
GET
200
23.195.249.173:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3652
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6960
WannaCry.exe
GET
200
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
whitelisted
6708
SIHClient.exe
GET
200
23.195.249.173:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6708
SIHClient.exe
GET
200
23.195.249.173:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6960
WannaCry.exe
GET
200
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
whitelisted
6960
WannaCry.exe
GET
200
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6420
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6960
WannaCry.exe
192.168.134.23:445
unknown
6960
WannaCry.exe
104.16.167.228:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
CLOUDFLARENET
whitelisted
6516
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6516
svchost.exe
23.195.249.173:80
www.microsoft.com
AKAMAI-AS
CZ
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 104.16.167.228
  • 104.16.166.228
whitelisted
www.microsoft.com
  • 23.195.249.173
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.76
  • 40.126.32.138
  • 40.126.32.133
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.136
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
6960
WannaCry.exe
Misc activity
ET MALWARE Known Sinkhole Response Kryptos Logic
6960
WannaCry.exe
A Network Trojan was detected
AV TROJAN Domain Sinkholed by Kryptos Logic (HTML Response)
2256
svchost.exe
A Network Trojan was detected
ET MALWARE Possible WannaCry DNS Lookup 1
6960
WannaCry.exe
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
6960
WannaCry.exe
A Network Trojan was detected
AV TROJAN Domain Sinkholed by Kryptos Logic (HTML Response)
6960
WannaCry.exe
Misc activity
ET MALWARE Known Sinkhole Response Kryptos Logic
6960
WannaCry.exe
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
6960
WannaCry.exe
Misc activity
ET MALWARE Known Sinkhole Response Kryptos Logic
6960
WannaCry.exe
A Network Trojan was detected
AV TROJAN Domain Sinkholed by Kryptos Logic (HTML Response)
6960
WannaCry.exe
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WannaCry.exe