File name:	WannaCry.exe
Full analysis:	https://app.any.run/tasks/621a120f-d963-4fed-9b0a-8906cdf7f920
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat. WannaCry ist eine bekannte Ransomware, die die EternalBlue-Schwachstelle nutzt. Diese Malware ist dafür bekannt, dass sie mindestens 200.000 Computer weltweit infiziert hat, und sie ist weiterhin eine aktive und gefährliche Bedrohung. Malware Trends Tracker >>>
Analysis date:	June 04, 2025, 23:45:53
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	wannacry ransomware stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	84C82835A5D21BBCF75A61706D8AB549
SHA1:	5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467
SHA256:	ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:11:20 09:05:05+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	28672
InitializedDataSize:	3481600
UninitializedDataSize:	-
EntryPoint:	0x77ba
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.1.7601.17514
ProductVersionNumber:	6.1.7601.17514
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	DiskPart
FileVersion:	6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName:	diskpart.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	diskpart.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	6.1.7601.17514


(PID) Process:	(5552) WannaCry.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WanaCrypt0r
Operation:	write	Name:	wd
Value: C:\Users\admin\Desktop
(PID) Process:	(5236) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	zyzvdxbqct621
Value: "C:\Users\admin\Desktop\tasksche.exe"

PID	Process	Filename		Type
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_croatian.wnry		text
		MD5:17194003FA70CE477326CE2F6DEEB270	SHA256:3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_german.wnry		text
		MD5:3D59BBB5553FE03A89F817819540F469	SHA256:2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_czech.wnry		text
		MD5:537EFEECDFA94CC421E58FD82A58BA9E	SHA256:5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_bulgarian.wnry		text
		MD5:95673B0F968C0F55B32204361940D184	SHA256:40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_french.wnry		text
		MD5:4E57113A6BF6B88FDD32782A4A381274	SHA256:9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
5552	WannaCry.exe	C:\Users\admin\Desktop\b.wnry		image
		MD5:C17170262312F3BE7027BC2CA825BF0C	SHA256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_danish.wnry		text
		MD5:2C5A3B81D5C4715B7BEA01033367FCB5	SHA256:A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_chinese (traditional).wnry		text
		MD5:2EFC3690D67CD073A9406A25005F7CEA	SHA256:5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_italian.wnry		text
		MD5:30A200F78498990095B36F574B6E8690	SHA256:49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
5552	WannaCry.exe	C:\Users\admin\Desktop\msg\m_finnish.wnry		text
		MD5:35C2F97EEA8819B1CAEBD23FEE732D8F	SHA256:1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8184	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
8184	RUXIMICS.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
8184	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
8184	RUXIMICS.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
8184	RUXIMICS.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6036	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1660	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted
self.events.data.microsoft.com	20.189.173.8	whitelisted

General Info

WannaCry.exe

84C82835A5D21BBCF75A61706D8AB549

5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467

ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

WANNACRY has been detected

Writes a file to the Word startup folder

RANSOMWARE has been detected

WANNACRY has been detected (YARA)

Modifies files in the Chrome extension folder

Wannacry exe files

Actions looks like stealing of personal data

Drops known malicious image

WannaCry Ransomware is detected

SUSPICIOUS

Starts a Microsoft application from unusual location

Uses ATTRIB.EXE to modify file attributes

Process drops legitimate windows executable

Executing commands from a ".bat" file

The process executes VB scripts

Uses ICACLS.EXE to modify access control lists

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

INFO

The sample compiled with english language support

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Creates files in the program directory

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings