download:

/Explodingstuff/WannaCry/raw/master/WannaCry.EXE

Full analysis: https://app.any.run/tasks/a723484a-f3ec-4958-87ad-8f0b97530640
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 09, 2023, 19:03:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
wannacryptor
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

84C82835A5D21BBCF75A61706D8AB549

SHA1:

5FF465AFAABCBF0150D1A3AB2C2E74F3A4426467

SHA256:

ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA

SSDEEP:

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WannaCry.EXE (PID: 1556)
      • @WanaDecryptor@.exe (PID: 3308)
      • RakhniDecryptor.exe (PID: 1364)
      • RakhniDecryptor.exe (PID: 3352)

    • Modifies files in the Chrome extension folder

      • WannaCry.EXE (PID: 1556)

    • WannaCry Ransomware is detected

      • WannaCry.EXE (PID: 1556)
      • cmd.exe (PID: 3632)

    • Writes a file to the Word startup folder

      • WannaCry.EXE (PID: 1556)

    • Deletes shadow copies

      • cmd.exe (PID: 3760)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 3760)

    • Actions looks like stealing of personal data

      • WannaCry.EXE (PID: 1556)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WannaCry.EXE (PID: 1556)

    • Uses ATTRIB.EXE to modify file attributes

      • WannaCry.EXE (PID: 1556)

    • Uses ICACLS.EXE to modify access control lists

      • WannaCry.EXE (PID: 1556)

    • Executing commands from a ".bat" file

      • WannaCry.EXE (PID: 1556)

    • The process executes VB scripts

      • cmd.exe (PID: 1152)

    • Creates files like ransomware instruction

      • WannaCry.EXE (PID: 1556)

    • Starts CMD.EXE for commands execution

      • WannaCry.EXE (PID: 1556)
      • @WanaDecryptor@.exe (PID: 3448)

    • Connects to unusual port

      • taskhsvc.exe (PID: 4076)

    • Reads the Internet Settings

      • @WanaDecryptor@.exe (PID: 3448)
      • WMIC.exe (PID: 3880)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3456)
      • wbengine.exe (PID: 1072)
      • vds.exe (PID: 3224)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 564)

  • INFO

    • Create files in a temporary directory

      • WannaCry.EXE (PID: 1556)
      • cscript.exe (PID: 2532)
      • @WanaDecryptor@.exe (PID: 3308)
      • RakhniDecryptor.exe (PID: 1364)
      • RakhniDecryptor.exe (PID: 3352)

    • Checks supported languages

      • WannaCry.EXE (PID: 1556)
      • taskdl.exe (PID: 1344)
      • @WanaDecryptor@.exe (PID: 3308)
      • taskdl.exe (PID: 2984)
      • wmpnscfg.exe (PID: 2996)
      • taskhsvc.exe (PID: 4076)
      • @WanaDecryptor@.exe (PID: 3448)
      • @WanaDecryptor@.exe (PID: 2516)
      • taskdl.exe (PID: 2408)
      • taskdl.exe (PID: 2916)
      • {34B6A505-C74F-43D2-AF99-260298E3ED5A}.exe (PID: 1508)
      • taskdl.exe (PID: 3736)
      • @WanaDecryptor@.exe (PID: 2152)
      • {189567E4-651F-457A-B958-4B85B98345C3}.exe (PID: 3064)
      • @WanaDecryptor@.exe (PID: 2060)
      • RakhniDecryptor.exe (PID: 3352)
      • @WanaDecryptor@.exe (PID: 1868)
      • @WanaDecryptor@.exe (PID: 272)
      • taskdl.exe (PID: 2136)
      • taskdl.exe (PID: 2424)
      • RakhniDecryptor.exe (PID: 1364)
      • taskdl.exe (PID: 2196)
      • @WanaDecryptor@.exe (PID: 2164)

    • Reads the computer name

      • WannaCry.EXE (PID: 1556)
      • wmpnscfg.exe (PID: 2996)
      • @WanaDecryptor@.exe (PID: 3448)
      • taskhsvc.exe (PID: 4076)
      • {189567E4-651F-457A-B958-4B85B98345C3}.exe (PID: 3064)
      • {34B6A505-C74F-43D2-AF99-260298E3ED5A}.exe (PID: 1508)

    • The dropped object may contain a URL to Tor Browser

      • WannaCry.EXE (PID: 1556)
      • @WanaDecryptor@.exe (PID: 3308)

    • Dropped object may contain TOR URL's

      • WannaCry.EXE (PID: 1556)
      • @WanaDecryptor@.exe (PID: 3308)

    • Reads the machine GUID from the registry

      • WannaCry.EXE (PID: 1556)
      • taskhsvc.exe (PID: 4076)
      • {34B6A505-C74F-43D2-AF99-260298E3ED5A}.exe (PID: 1508)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2532)

    • Manual execution by a user

      • rundll32.exe (PID: 3140)
      • wmpnscfg.exe (PID: 2996)
      • msedge.exe (PID: 880)

    • Creates files or folders in the user directory

      • WannaCry.EXE (PID: 1556)
      • taskhsvc.exe (PID: 4076)

    • Creates files in the program directory

      • WannaCry.EXE (PID: 1556)

    • The executable file from the user directory is run by the CMD process

      • @WanaDecryptor@.exe (PID: 3448)

    • Application launched itself

      • msedge.exe (PID: 880)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 2668)
      • msedge.exe (PID: 2396)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:20 10:05:05+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 28672
InitializedDataSize: 3481600
UninitializedDataSize: -
EntryPoint: 0x77ba
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.7601.17514
ProductVersionNumber: 6.1.7601.17514
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: DiskPart
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
InternalName: diskpart.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: diskpart.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.1.7601.17514
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
87
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #WANNACRY wannacry.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs cscript.exe no specs rundll32.exe no specs wmpnscfg.exe no specs PhotoViewer.dll no specs taskdl.exe no specs msedge.exe msedge.exe no specs @wanadecryptor@.exe no specs #WANNACRY cmd.exe no specs @wanadecryptor@.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs taskhsvc.exe msedge.exe no specs msedge.exe no specs cmd.exe vssadmin.exe no specs vssvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs taskdl.exe no specs cmd.exe no specs @wanadecryptor@.exe no specs reg.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmic.exe no specs msedge.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs taskdl.exe no specs @wanadecryptor@.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs @wanadecryptor@.exe no specs taskdl.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs winrar.exe no specs rakhnidecryptor.exe no specs rakhnidecryptor.exe {34b6a505-c74f-43d2-af99-260298e3ed5a}.exe @wanadecryptor@.exe no specs taskdl.exe no specs rakhnidecryptor.exe no specs rakhnidecryptor.exe {189567e4-651f-457a-b958-4b85b98345c3}.exe @wanadecryptor@.exe no specs taskdl.exe no specs @wanadecryptor@.exe no specs taskdl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
216"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5864 --field-trial-handle=1208,i,2037176469037546195,11565476650896064887,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
272"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4400 --field-trial-handle=1208,i,2037176469037546195,11565476650896064887,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
272@WanaDecryptor@.exeC:\Users\admin\AppData\Local\Temp\@WanaDecryptor@.exeWannaCry.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Load PerfMon Counters
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\temp\@wanadecryptor@.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
328"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5132 --field-trial-handle=1208,i,2037176469037546195,11565476650896064887,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
476vssadmin delete shadows /all /quiet C:\Windows\System32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
544"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4112 --field-trial-handle=1208,i,2037176469037546195,11565476650896064887,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
564cmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yyibsxxiapw107" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Temp\tasksche.exe\"" /fC:\Windows\System32\cmd.exeWannaCry.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
664"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\RakhniDecryptor.zip"C:\program files\WinRAR\WinRAR.exemsedge.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
684"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4416 --field-trial-handle=1208,i,2037176469037546195,11565476650896064887,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
880"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --profile-directory=DefaultC:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
12 424
Read events
12 301
Write events
121
Delete events
2

Modification events

(PID) Process:(4036) dllhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(880) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(880) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(880) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(880) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(880) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:dr
Value:
1
(PID) Process:(880) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
1
(PID) Process:(880) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1302019708-1500728564-335382590-1000
Value:
8A1A1F2B695E2F00
(PID) Process:(880) msedge.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Edge
Operation:writeName:UsageStatsInSample
Value:
1
(PID) Process:(880) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
Operation:writeName:usagestats
Value:
1
Executable files
57
Suspicious files
2 315
Text files
572
Unknown types
5

Dropped files

PID
Process
Filename
Type
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\b.wnryimage
MD5:C17170262312F3BE7027BC2CA825BF0C
SHA256:D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\msg\m_bulgarian.wnrytext
MD5:95673B0F968C0F55B32204361940D184
SHA256:40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\msg\m_chinese (simplified).wnrytext
MD5:0252D45CA21C8E43C9742285C48E91AD
SHA256:845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\msg\m_chinese (traditional).wnrytext
MD5:2EFC3690D67CD073A9406A25005F7CEA
SHA256:5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\msg\m_croatian.wnrytext
MD5:17194003FA70CE477326CE2F6DEEB270
SHA256:3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\c.wnrybinary
MD5:AE08F79A0D800B82FCBE1B43CDBDBEFC
SHA256:055C7760512C98C8D51E4427227FE2A7EA3B34EE63178FE78631FA8AA6D15622
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\msg\m_filipino.wnrytext
MD5:08B9E69B57E4C9B966664F8E1C27AB09
SHA256:D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\msg\m_dutch.wnrytext
MD5:7A8D499407C6A647C03C4471A67EAAD7
SHA256:2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\msg\m_latvian.wnrytext
MD5:C33AFB4ECC04EE1BCC6975BEA49ABE40
SHA256:A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
1556WannaCry.EXEC:\Users\admin\AppData\Local\Temp\msg\m_japanese.wnrytext
MD5:B77E1221F7ECD0B5D696CB66CDA1609E
SHA256:7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
149
DNS requests
169
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3064
{189567E4-651F-457A-B958-4B85B98345C3}.exe
GET
301
185.85.15.30:80
http://support.kaspersky.com/viruses/rakhnidecryptor.xml
unknown
html
180 b
unknown
1508
{34B6A505-C74F-43D2-AF99-260298E3ED5A}.exe
GET
301
185.85.15.30:80
http://support.kaspersky.com/viruses/rakhnidecryptor.xml
unknown
html
180 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
23.35.228.137:80
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
whitelisted
868
svchost.exe
72.246.168.142:80
armmf.adobe.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:137
whitelisted
4016
msedge.exe
204.79.197.203:443
ntp.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
880
msedge.exe
239.255.255.250:1900
whitelisted
4016
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4016
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4016
msedge.exe
23.15.178.217:443
assets.msn.com
Akamai International B.V.
DE
unknown
4016
msedge.exe
2.16.164.32:443
img-s-msn-com.akamaized.net
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 72.246.168.142
whitelisted
ntp.msn.com
  • 204.79.197.203
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
assets.msn.com
  • 23.15.178.217
  • 23.15.178.194
whitelisted
img-s-msn-com.akamaized.net
  • 2.16.164.32
  • 2.16.164.74
whitelisted
sb.scorecardresearch.com
  • 3.160.188.18
  • 3.160.188.19
  • 3.160.188.50
  • 3.160.188.68
shared
th.bing.com
  • 2.19.96.82
  • 2.19.96.58
  • 2.19.96.42
  • 2.19.96.64
  • 2.19.96.40
  • 2.19.96.66
  • 2.19.96.48
  • 2.19.96.67
  • 2.19.96.49
  • 23.15.178.168
  • 23.15.178.219
  • 23.15.178.192
  • 23.15.178.184
  • 23.15.178.185
  • 23.15.178.200
  • 23.15.178.179
  • 23.15.178.136
  • 23.15.178.147
whitelisted
www.bing.com
  • 23.15.178.168
  • 23.15.178.219
  • 23.15.178.192
  • 23.15.178.184
  • 23.15.178.185
  • 23.15.178.200
  • 23.15.178.179
  • 23.15.178.136
  • 23.15.178.147
  • 23.15.178.233
  • 23.15.178.187
  • 23.15.178.226
  • 23.15.178.208
  • 2.19.96.41
  • 2.19.96.16
  • 2.19.96.50
  • 2.19.96.35
  • 2.19.96.74
  • 2.19.96.83
  • 2.19.96.26
  • 2.19.96.80
  • 2.19.96.82
  • 104.126.37.155
  • 104.126.37.153
  • 104.126.37.139
  • 104.126.37.129
  • 104.126.37.154
  • 104.126.37.145
  • 104.126.37.130
  • 104.126.37.136
  • 104.126.37.162
whitelisted
c.msn.com
  • 68.219.88.97
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 155
4016
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
4076
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 794
4076
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
4076
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
4076
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 216
4076
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
4076
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
4076
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Explodingstuff/WannaCry/raw/master/WannaCry.EXE