File name:

Ransomware.wannacry.exe.malz.7z

Full analysis: https://app.any.run/tasks/74b46617-4c32-4157-9948-de309a0f08d2
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 22:22:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
sinkhole
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

4D9C771619255C9B937C34B4C50CEC7E

SHA1:

55177CD9CEFC6369DB31B23E324D3263B4D4E6A6

SHA256:

ADB41A37499A6F0F5B1E58B1973367DD34A695293DC1FED601C79D21FD0754C1

SSDEEP:

98304:nlG8mh8gV56+NjaiEK3SFNjthk5I4W3N:nQ56+kNKijthka4YN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WANNACRY has been detected (SURICATA)

      • Ransomware.wannacry.exe (PID: 920)
      • svchost.exe (PID: 1108)
      • Ransomware.wannacry.exe (PID: 3208)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1016)

    • Starts a Microsoft application from unusual location

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Reads the Internet Settings

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Reads security settings of Internet Explorer

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1016)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1016)

    • Checks supported languages

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Reads the machine GUID from the registry

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 1016)
      • WINWORD.EXE (PID: 3244)
      • WINWORD.EXE (PID: 1204)

    • Reads the computer name

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Manual execution by a user

      • WINWORD.EXE (PID: 3244)
      • WINWORD.EXE (PID: 1204)
      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • WINWORD.EXE (PID: 1204)
      • WINWORD.EXE (PID: 3244)

    • Checks proxy server information

      • Ransomware.wannacry.exe (PID: 920)
      • Ransomware.wannacry.exe (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #WANNACRY ransomware.wannacry.exe #WANNACRY svchost.exe winword.exe no specs winword.exe no specs #WANNACRY ransomware.wannacry.exe

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Users\admin\Desktop\Ransomware.wannacry.exe" C:\Users\admin\Desktop\Ransomware.wannacry.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Disk Defragmenter
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\desktop\ransomware.wannacry.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
1016"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Ransomware.wannacry.exe.malz.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1108C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1204"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\disclaimerproviding.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3208"C:\Users\admin\Desktop\Ransomware.wannacry.exe" C:\Users\admin\Desktop\Ransomware.wannacry.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Disk Defragmenter
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\desktop\ransomware.wannacry.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
3244"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\whileelectronic.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
9 054
Read events
8 066
Write events
334
Delete events
654

Modification events

(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1016) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Ransomware.wannacry.exe.malz.7z
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1016) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
1
Suspicious files
12
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3244WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5A52.tmp.cvr
MD5:
SHA256:
1204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR8A8A.tmp.cvr
MD5:
SHA256:
1016WinRAR.exeC:\Users\admin\Desktop\Ransomware.wannacry.exe.malzexecutable
MD5:DB349B97C37D22F5EA1D1841E3C89EB4
SHA256:24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C
3244WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{188F5C9F-BB54-4A46-8844-AF35DD057692}.tmpbinary
MD5:53B075F83D3ED2EEE482A360FC513AE2
SHA256:D2FDB30EBD6F290E97E13928AD1231522E02335819560E24400D7D9BE7B743C6
3244WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\whileelectronic.rtf.LNKbinary
MD5:C180BE78B990EE80C537A16687516FFD
SHA256:63735EE0C6CE2EE12BEDDA6448F2D9509D4ED5CE88888CA98A792C98AEE77046
3244WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:62115BBD4AC32F327AB577B2BF5EF778
SHA256:E1985B5B5A10AF5BFCA800569322BE5D9C51EDB0887617F8CBA4D1755DACF488
1204WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:2AB5E1BACDDCDB7B4A7CCCCE89170F8B
SHA256:9176C2215AA7EAEF117CF5B7A566E7FCE635EEB32B79AC812B66FF5B322F7BF1
1204WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\disclaimerproviding.rtf.LNKbinary
MD5:C8D6C8346DEE6CD8BC0A1BC49C761B30
SHA256:F24C52E9AA3934112AA070B42357B2FA7C38BA178F07758C1AA3E893FFA07E2E
3244WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:D4C1B6C64D0FA52133B123B8C76F1F26
SHA256:01E473DF79B26ACF918A0D73C78CCBE81A41D7EC4104808B3AAA0D6A1DB0B8DA
1204WINWORD.EXEC:\Users\admin\Desktop\~$sclaimerproviding.rtfpgc
MD5:90A37D9F895504440CB6145738BBD23A
SHA256:2EEE7CBE8A9F553FEC743843BB629A9E5E6F5DE123D13F54779407502D96AE23
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
3
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3208
Ransomware.wannacry.exe
GET
200
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
malicious
920
Ransomware.wannacry.exe
GET
200
104.16.167.228:80
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1108
svchost.exe
224.0.0.252:5355
whitelisted
920
Ransomware.wannacry.exe
104.16.167.228:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
CLOUDFLARENET
whitelisted
3208
Ransomware.wannacry.exe
104.16.167.228:80
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • 104.16.167.228
whitelisted

Threats

PID
Process
Class
Message
1108
svchost.exe
A Network Trojan was detected
ET MALWARE Possible WannaCry DNS Lookup 1
1108
svchost.exe
A Network Trojan was detected
ET MALWARE Possible WannaCry DNS Lookup 1
920
Ransomware.wannacry.exe
Misc activity
ET MALWARE Known Sinkhole Response Kryptos Logic
920
Ransomware.wannacry.exe
A Network Trojan was detected
AV TROJAN Domain Sinkholed by Kryptos Logic (HTML Response)
920
Ransomware.wannacry.exe
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
3208
Ransomware.wannacry.exe
Misc activity
ET MALWARE Known Sinkhole Response Kryptos Logic
3208
Ransomware.wannacry.exe
A Network Trojan was detected
AV TROJAN Domain Sinkholed by Kryptos Logic (HTML Response)
3208
Ransomware.wannacry.exe
A Network Trojan was detected
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Ransomware.wannacry.exe.malz.7z