analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://mega.nz/file/vrRkGYxL#rJo_gewJsjrEdF0XwWQIhavYLBDeSFCarqC6ifwr6e4

Full analysis: https://app.any.run/tasks/282bdfa0-2576-4f9c-ad34-a8558867729e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: May 30, 2020, 00:57:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
wannacryptor
Indicators:
MD5:

3D6E683FB70335A57A2EEDA635057DEC

SHA1:

DD6B53846D95BCEE4DB5B4DE5DD01B2D192027EB

SHA256:

788F52EAADDE77FD77BDA0F3755A24F3E7DA2753D3043371E9E0469FE175879E

SSDEEP:

3:N8X/iXKBnMVNETLEmgDARn:2XnmWTLESRn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

    • WannaCry Ransomware was detected

      • cmd.exe (PID: 3456)
      • WannaCry.EXE (PID: 3436)
    • Writes file to Word startup folder

      • WannaCry.EXE (PID: 3436)
    • Modifies files in Chrome extension folder

      • WannaCry.EXE (PID: 3436)
    • Loads dropped or rewritten executable

      • taskhsvc.exe (PID: 2544)
    • Deletes shadow copies

      • cmd.exe (PID: 2568)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2568)
    • Actions looks like stealing of personal data

      • WannaCry.EXE (PID: 3436)
    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 2128)
    • Changes the autorun value in the registry

      • reg.exe (PID: 2428)
  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2436)
    • Executable content was dropped or overwritten

    • Uses ATTRIB.EXE to modify file attributes

      • WannaCry.EXE (PID: 3436)
    • Creates files like Ransomware instruction

      • WannaCry.EXE (PID: 3436)
    • Uses ICACLS.EXE to modify access control list

      • WannaCry.EXE (PID: 3436)
    • Starts CMD.EXE for commands execution

    • Executes scripts

      • cmd.exe (PID: 864)
    • Creates files in the program directory

      • WannaCry.EXE (PID: 3436)
    • Creates files in the user directory

      • taskhsvc.exe (PID: 2544)
      • WannaCry.EXE (PID: 3436)
    • Executed as Windows Service

      • wbengine.exe (PID: 2128)
      • vds.exe (PID: 728)
    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 2128)
      • vds.exe (PID: 728)
    • Creates files in the Windows directory

      • wbadmin.exe (PID: 1792)
    • Executed via COM

      • vdsldr.exe (PID: 3448)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2976)
  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 2436)
      • chrome.exe (PID: 944)
    • Reads settings of System Certificates

      • chrome.exe (PID: 944)
    • Application launched itself

      • chrome.exe (PID: 2436)
    • Dropped object may contain TOR URL's

      • WannaCry.EXE (PID: 3436)
    • Dropped object may contain URL to Tor Browser

      • WannaCry.EXE (PID: 3436)
    • Dropped object may contain Bitcoin addresses

      • WannaCry.EXE (PID: 3436)
      • taskhsvc.exe (PID: 2544)
    • Manual execution by user

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
107
Monitored processes
57
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe chrome.exe no specs #WANNACRY wannacry.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs cscript.exe no specs @[email protected] #WANNACRY cmd.exe no specs @[email protected] no specs taskhsvc.exe chrome.exe no specs cmd.exe vssadmin.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs explorer.exe no specs taskdl.exe no specs @[email protected] no specs cmd.exe no specs reg.exe chrome.exe no specs @[email protected] no specs taskdl.exe no specs @[email protected] no specs

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mega.nz/file/vrRkGYxL#rJo_gewJsjrEdF0XwWQIhavYLBDeSFCarqC6ifwr6e4"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3172"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6e65a9d0,0x6e65a9e0,0x6e65a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2116"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2444 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1916"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=5701107746767143367 --mojo-platform-channel-handle=996 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
944"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=16690900221809745417 --mojo-platform-channel-handle=1628 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2496"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17201577811219571990 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3460"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13328803344809531483 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1764"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4273218122312719981 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1588"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=386980294108877001 --mojo-platform-channel-handle=3376 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2872"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,1042496025593675294,2680719887522011659,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10415927450276866635 --mojo-platform-channel-handle=3932 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 021
Read events
1 893
Write events
0
Delete events
0

Modification events

No data
Executable files
19
Suspicious files
557
Text files
735
Unknown types
34

Dropped files

PID
Process
Filename
Type
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5ED1AF8F-984.pma
MD5:
SHA256:
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\87dd6f9e-1010-4a02-b38a-3387900f386c.tmp
MD5:
SHA256:
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF109a1f.TMPtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF109a0f.TMPtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:AC43135B8C9FED46A92448C4E711F45C
SHA256:D840BA7CEBACF86DDBAD75BFB61A53449AA7AE3DE6B8ADC97FE45624626A6F09
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF109a8c.TMPtext
MD5:FC9FFE77348619CC285333DFF5E1D5D1
SHA256:7CB9B3575330B3D776A21EB7A7407E34F013A0975B7418DA11B5C85DEC91D1F3
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF109a5d.TMPtext
MD5:AC43135B8C9FED46A92448C4E711F45C
SHA256:D840BA7CEBACF86DDBAD75BFB61A53449AA7AE3DE6B8ADC97FE45624626A6F09
2436chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.oldtext
MD5:A9C81BA506E2A0D898698EAF075EBE5C
SHA256:92FB2125FB5A0B877B76C4E3409B250EFF394804C7F24E236FBE162E1054AF90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
50
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
944
chrome.exe
GET
200
173.194.7.11:80
http://r5---sn-p5qlsns6.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=QJ&mip=85.203.20.11&mm=28&mn=sn-p5qlsns6&ms=nvh&mt=1590800014&mv=u&mvi=4&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
944
chrome.exe
GET
200
74.125.155.248:80
http://r2---sn-p5qs7nee.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjY5QUFXTEQwc2RPVXhRY3picjhxblh1dw/7619.603.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=Qx&mip=85.203.20.11&mm=28&mn=sn-p5qs7nee&ms=nvh&mt=1590800232&mv=m&mvi=1&pl=24&shardbypass=yes
US
crx
816 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
944
chrome.exe
172.217.23.106:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
944
chrome.exe
31.216.148.10:443
mega.nz
Datacenter Luxembourg S.A.
LU
unknown
944
chrome.exe
89.44.169.132:443
eu.static.mega.co.nz
Datacenter Luxembourg S.A.
LU
suspicious
944
chrome.exe
216.58.206.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
172.217.22.45:443
accounts.google.com
Google Inc.
US
whitelisted
944
chrome.exe
172.217.16.206:443
clients1.google.com
Google Inc.
US
whitelisted
944
chrome.exe
172.217.16.142:80
redirector.gvt1.com
Google Inc.
US
whitelisted
944
chrome.exe
31.216.147.133:443
g.api.mega.co.nz
Datacenter Luxembourg S.A.
LU
unknown
944
chrome.exe
172.217.22.100:443
www.google.com
Google Inc.
US
whitelisted
944
chrome.exe
172.217.22.45:443
accounts.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.206.3
whitelisted
mega.nz
  • 31.216.148.10
  • 89.44.169.135
whitelisted
accounts.google.com
  • 172.217.22.45
shared
safebrowsing.googleapis.com
  • 172.217.23.106
whitelisted
clients1.google.com
  • 172.217.16.206
whitelisted
eu.static.mega.co.nz
  • 89.44.169.132
  • 89.44.169.134
  • 31.216.148.13
  • 31.216.148.11
shared
clients2.google.com
  • 172.217.16.206
whitelisted
g.api.mega.co.nz
  • 31.216.147.133
  • 31.216.147.134
  • 31.216.147.136
  • 31.216.147.135
  • 31.216.147.132
shared
redirector.gvt1.com
  • 172.217.16.142
whitelisted
www.google.com
  • 172.217.22.100
whitelisted

Threats

PID
Process
Class
Message
2544
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 192
2544
taskhsvc.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2544
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 719
2544
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 718
2544
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 593
2544
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2544
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
No debug info