File name:

Ransomware.wannacry.exe.malz.7z

Full analysis: https://app.any.run/tasks/74b46617-4c32-4157-9948-de309a0f08d2
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 22:22:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
sinkhole
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

4D9C771619255C9B937C34B4C50CEC7E

SHA1:

55177CD9CEFC6369DB31B23E324D3263B4D4E6A6

SHA256:

ADB41A37499A6F0F5B1E58B1973367DD34A695293DC1FED601C79D21FD0754C1

SSDEEP:

98304:nlG8mh8gV56+NjaiEK3SFNjthk5I4W3N:nQ56+kNKijthka4YN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WANNACRY has been detected (SURICATA)

      • Ransomware.wannacry.exe (PID: 920)
      • svchost.exe (PID: 1108)
      • Ransomware.wannacry.exe (PID: 3208)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1016)

    • Starts a Microsoft application from unusual location

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Reads the Internet Settings

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Reads security settings of Internet Explorer

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1016)

    • Checks proxy server information

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Reads the computer name

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1016)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 1016)
      • WINWORD.EXE (PID: 1204)
      • WINWORD.EXE (PID: 3244)

    • Checks supported languages

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Manual execution by a user

      • Ransomware.wannacry.exe (PID: 920)
      • WINWORD.EXE (PID: 3244)
      • WINWORD.EXE (PID: 1204)
      • Ransomware.wannacry.exe (PID: 3208)

    • Reads the machine GUID from the registry

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • WINWORD.EXE (PID: 3244)
      • WINWORD.EXE (PID: 1204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #WANNACRY ransomware.wannacry.exe #WANNACRY svchost.exe winword.exe no specs winword.exe no specs #WANNACRY ransomware.wannacry.exe

Process information

PID
CMD
Path
Indicators
Parent process
1016"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Ransomware.wannacry.exe.malz.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
920"C:\Users\admin\Desktop\Ransomware.wannacry.exe" C:\Users\admin\Desktop\Ransomware.wannacry.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Disk Defragmenter
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\desktop\ransomware.wannacry.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
1108C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3244"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\whileelectronic.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1204"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\disclaimerproviding.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3208"C:\Users\admin\Desktop\Ransomware.wannacry.exe" C:\Users\admin\Desktop\Ransomware.wannacry.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Disk Defragmenter
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\desktop\ransomware.wannacry.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
Total events
9 054
Read events
8 066
Write events
334
Delete events
654

Modification events

(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1016) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Ransomware.wannacry.exe.malz.7z
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
1
Suspicious files
12
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3244WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5A52.tmp.cvr
MD5:
SHA256:
1204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8A8A.tmp.cvr
MD5:
SHA256:
3244WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:D4C1B6C64D0FA52133B123B8C76F1F26
SHA256:01E473DF79B26ACF918A0D73C78CCBE81A41D7EC4104808B3AAA0D6A1DB0B8DA
1204WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CF612761-7AFD-4142-9222-C1795DA4DCFF}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
3244WINWORD.EXEC:\Users\admin\Desktop\~$ileelectronic.rtfbinary
MD5:5F9E6D911326E6555C98E544C3CFF027
SHA256:EE3434340DD5A77C08CD670A4B97423B48437036091C698388A364EE68230B96
3244WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4BF9EBF-02C4-4866-9A78-E20D37C0DC02}.tmpbinary
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
3244WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6DD8F825-A7E4-4158-9B00-FEF2893033D4}.tmpbinary
MD5:97A289635269655C3C9C3C74E545B22F
SHA256:538EF81D291E1BF3CE83ED404F684285075825845D25BCF821B8A71E2A7B633C
3244WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\whileelectronic.rtf.LNKbinary
MD5:C180BE78B990EE80C537A16687516FFD
SHA256:63735EE0C6CE2EE12BEDDA6448F2D9509D4ED5CE88888CA98A792C98AEE77046
3244WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:62115BBD4AC32F327AB577B2BF5EF778
SHA256:E1985B5B5A10AF5BFCA800569322BE5D9C51EDB0887617F8CBA4D1755DACF488
1204WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{9B34A7FE-B48D-4EF3-91F7-16B2926B29F2}.tmpbinary
MD5:1037F4FDD0AEC75CD2B2E7CB51139CAF
SHA256:7ABC7C6D28BAD93FE22AE87BDE8093F47FC5D0155F96EA4775A31D4A97CA089B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
3
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3208
Ransomware.wannacry.exe
GET
200
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
malicious
920
Ransomware.wannacry.exe
GET
200
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1108
svchost.exe
224.0.0.252:5355
whitelisted
920
Ransomware.wannacry.exe
104.16.167.228:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
CLOUDFLARENET
whitelisted
3208
Ransomware.wannacry.exe
104.16.167.228:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 104.16.167.228
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Possible WannaCry DNS Lookup 1
A Network Trojan was detected
ET MALWARE Possible WannaCry DNS Lookup 1
Misc activity
ET MALWARE Known Sinkhole Response Kryptos Logic
A Network Trojan was detected
AV TROJAN Domain Sinkholed by Kryptos Logic (HTML Response)
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
Misc activity
ET MALWARE Known Sinkhole Response Kryptos Logic
A Network Trojan was detected
AV TROJAN Domain Sinkholed by Kryptos Logic (HTML Response)
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Ransomware.wannacry.exe.malz.7z