{"id":12987,"date":"2025-04-22T10:04:35","date_gmt":"2025-04-22T10:04:35","guid":{"rendered":"\/cybersecurity-blog\/?p=12987"},"modified":"2025-05-12T14:04:25","modified_gmt":"2025-05-12T14:04:25","slug":"pe32-ransomware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/","title":{"rendered":"PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0"},"content":{"rendered":"\n<p><strong><em>Editor\u2019s note:<\/em><\/strong><em>&nbsp;The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can&nbsp;<\/em><a href=\"https:\/\/x.com\/MauroEldritch\" target=\"_blank\" rel=\"noreferrer noopener\"><em>find Mauro on X<\/em><\/a><em>.<\/em>&nbsp;<\/p>\n\n\n\n<p>There\u2019s no shortage of <a href=\"https:\/\/any.run\/malware-trends\/ransomware\" target=\"_blank\" rel=\"noreferrer noopener\">ransomware<\/a> these days. It\u2019s everywhere, lurking in email attachments, hiding in cracked software, and making headlines almost daily. While some ransomware groups vanish or rebrand, new names step in to take their place, keeping security teams in a constant state of alert.&nbsp;<\/p>\n\n\n\n<p>One of the latest strains making the rounds is&nbsp;<strong>PE32 Ransomware, <\/strong>a newcomer that&#8217;s quickly gaining attention online, including on Twitter. Despite its amateur execution, it manages to <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">encrypt files<\/a>, communicate over Telegram, and cause real damage. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">&nbsp;PE32: Key Takeaways&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"582\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main-1024x582.png\" alt=\"\" class=\"wp-image-13065\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main-1024x582.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main-768x436.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main-1536x872.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main-740x420.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/pe32main.png 1838w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 1<\/strong>. PE32 Ransomware running on Windows 10 inside ANY.RUN&#8217;s Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In this report, <strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/authors\/mauro-eldritch\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mauro Eldritch<\/a><\/strong> takes a closer look at <a href=\"https:\/\/app.any.run\/tasks\/58b336b0-baec-48bb-9675-b2f3d352b63c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pe32_analysis&amp;utm_term=220425&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">how PE32 works<\/a>, how it communicates, and why its chaotic behavior still poses a real threat.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fast<\/strong> <strong>encryption<\/strong>: Starts encryption after a simple prompt; targets visible folders like Desktop.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Unique ransom setup<\/strong>: Two payment tiers: one to unlock files, another to stop data leaks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Telegram C2<\/strong>: Communicates entirely via Telegram Bot API; bot token is exposed in the code.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Easy to analyze<\/strong>: <a href=\"https:\/\/app.any.run\/tasks\/58b336b0-baec-48bb-9675-b2f3d352b63c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pe32_analysis&amp;utm_term=220425&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN makes it simple to extract bot data and monitor activity<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Messy &amp; loud<\/strong>: Drops marker files, triggers disk repair, and encrypts even useless files.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No stealth<\/strong>: No obfuscation or evasion tricks; relies on basic Windows libraries.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Immature but active<\/strong>: Still evolving, but already a threat due to poor security hygiene.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Execution Flow and Initial Behavior&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"542\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/1-1024x542.jpg\" alt=\"\" class=\"wp-image-13009\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/1-1024x542.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/1-300x159.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/1-768x406.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/1-370x196.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/1-270x143.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/1-740x392.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/1.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 2. <\/strong>Desktop files encrypted with pe32s extension<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>When executed, the sample waits for the operator\u2019s input to determine whether it should encrypt only the folder where it was dropped or the entire system (see Image 2). <\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/58b336b0-baec-48bb-9675-b2f3d352b63c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pe32_analysis&amp;utm_term=220425&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"538\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/2-1024x538.jpg\" alt=\"\" class=\"wp-image-13012\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/2-1024x538.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/2-300x158.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/2-768x403.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/2-370x194.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/2-270x142.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/2-740x389.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/2.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 3<\/strong>. PE32-KEY folder<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>However, regardless of this selection, it immediately starts noisily encrypting the most visible locations, such as the desktop, appending the .pe32s extension (see Image 3).&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encrypted Desktop files with&nbsp;.pe32s&nbsp;extension&nbsp;<\/h3>\n\n\n\n<p>Instead of dropping a ransom note directly onto the Desktop (as most ransomware does), PE32 creates a folder named&nbsp;PE32-KEY&nbsp;in the root of the&nbsp;C:\\&nbsp;drive. This folder contains several internal files used during execution:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>context.pe32c,&nbsp;lock.pe32,&nbsp;pe32lockfile.lock&nbsp;\u2013 for internal tracking and state&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"541\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/3-1024x541.jpg\" alt=\"\" class=\"wp-image-13016\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/3-1024x541.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/3-300x159.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/3-768x406.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/3-370x196.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/3-270x143.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/3-740x391.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/3.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 4<\/strong>. PE32 Ransom Note<\/em><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>ID&nbsp;\u2013 stores the victim\u2019s unique identifier&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>README.txt&nbsp;\u2013 the actual ransom note&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSpeed up and simplify analysis of malware and phishing threats with <span class=\"highlight\">ANY.RUN&#8217;s Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=pe32_analysis&#038;utm_term=220425&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">PE32 ransom note&nbsp;<\/h3>\n\n\n\n<p>The ransom note stands out for its&nbsp;two-tiered payment model: one fee to&nbsp;unlock encrypted files, and another to&nbsp;prevent stolen data from being leaked. This approach differs from most ransomware strains, which typically bundle both into a single payment.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Prices vary widely:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$700 to $7,000&nbsp;for individual machines or servers&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$10,000 to 2 BTC (or more)&nbsp;for corporate targets&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Victims are instructed to reach out via&nbsp;Telegram. If that fails, the attackers provide a&nbsp;Gmail address&nbsp;as a backup contact method, another sign of their operational inexperience.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"539\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/4-1024x539.jpg\" alt=\"\" class=\"wp-image-13019\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/4-1024x539.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/4-300x158.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/4-768x404.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/4-370x195.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/4-270x142.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/4-740x390.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/4.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 5<\/strong>. Communication to Telegram Admin Group Chat, revealing Bot Token and Group ID<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Telegram C2: Loud, Exposed, and Easy to Abuse&nbsp;<\/h3>\n\n\n\n<p>Once PE32 finishes prompting the attacker for encryption scope, it hides its process window and shifts to background mode. From there, it begins broadcasting its activity to a&nbsp;hardcoded <a href=\"https:\/\/any.run\/cybersecurity-blog\/intercept-stolen-data-in-telegram\/\" target=\"_blank\" rel=\"noreferrer noopener\">Telegram group&nbsp;via the Bot API.<\/a>&nbsp;<\/p>\n\n\n\n<p>The first message looks like this:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u201d&#91;PE32 v4.0.1] &#91;Armin] &#91;Thu, 20 Feb 2025 17:44:39] &#91;]&nbsp;&nbsp;\n\nNEW RUN ID: 58994073AC147486]\u201d<\/code><\/pre>\n\n\n\n<p>If using Telegram as a C2 channel wasn\u2019t already an OPSEC disaster, the actors also expose their Bot Token and Group Chat ID.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"540\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/5-1024x540.jpg\" alt=\"\" class=\"wp-image-13022\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/5-1024x540.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/5-300x158.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/5-768x405.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/5-370x195.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/5-270x142.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/5-740x390.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/5.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 6<\/strong>. Communication to Telegram Admin Group Chat stating the encryption cycle status&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The malware then begins reporting its lifecycle to the Telegram group, detailing every step of its execution, as seen below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u201c&#91;PE32 v4.0.1] &#91;Armin] &#91;Thu, 20 Feb 2025 17:45:07] &#91;58994073AC147486]&nbsp;\n\nStaring UltraFast Round C:\\\\\u201d<\/code><\/pre>\n\n\n\n<p>PE32 struggles to process certain files (or their extensions\u2014misspelled as \u201cextentions\u201d in its messages):&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u201c&#91;PE32 v4.0.1] &#91;Armin] &#91;Thu, 20 Feb 2025 17:47:08] &#91;58994073AC147486]&nbsp;\n\nUnknown Extentions:&nbsp;&nbsp;\n\n&#91;...]&nbsp;\n\nodbc: 1 0MB&nbsp;\n\nen_gb_e: 1 0MB&nbsp;\n\nfr_fr_p: 1 0MB&nbsp;\n\nxls4: 1 0MB&nbsp;\n\nxls6: 1 0MB&nbsp;\n\nxsx: 1 0MB&nbsp;\n\nnettcp: 1 0MB&nbsp;\n\nxls8: 1 0MB&nbsp;\n\naccess: 1 0MB\u201d<\/code><\/pre>\n\n\n\n<p>The encryption cycle concludes with three messages. The first one confirms that the \u201cUltraFast\u201d cycle has been completed, followed by two more messages indicating that the \u201cFast\u201d and \u201cSlow\u201d cycles have also finished successfully.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u201c&#91;PE32 v4.0.1] &#91;Armin] &#91;Thu, 20 Feb 2025 17:47:08] &#91;58994073AC147486]&nbsp;\n\nUltraFast Compeleted C:\\\\\u201d<\/code><\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"539\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/6-1024x539.jpg\" alt=\"\" class=\"wp-image-13028\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/6-1024x539.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/6-300x158.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/6-768x404.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/6-370x195.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/6-270x142.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/6-740x390.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/6.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 7<\/strong>. All communication is restricted to Telegram<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>With no observable DNS or HTTP requests, we can confirm that this strain of PE32 Ransomware relies exclusively on Telegram Bots for communication. This tactic is commonly observed in the MaaS scene, particularly with certain Stealers, but is rarely used in the RaaS ecosystem.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"685\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/7-1024x685.jpg\" alt=\"\" class=\"wp-image-13030\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/7-1024x685.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/7-300x201.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/7-768x514.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/7-370x248.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/7-270x181.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/7-740x495.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/7.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 8<\/strong>. ANY.RUN\u2019s CFG option in action<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">CFG Dumping with ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pe32_analysis&amp;utm_term=220425&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s Interactive Sandbox<\/a> provides a&nbsp;<strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-configuration\/\" target=\"_blank\" rel=\"noreferrer noopener\">CFG extraction function<\/a><\/strong>, allowing analysts to inspect the malware\u2019s internal configuration. Unsurprisingly, the&nbsp;<strong>Telegram Bot Token<\/strong>&nbsp;is scattered throughout the code, making it trivially easy to trace the adversarial infrastructure\u2014it\u2019s almost impossible to miss, even by accident.&nbsp;<\/p>\n\n\n\n<p>Armed with this token, anyone can easily flood the attacker\u2019s C2 with fake requests or worse, use the bot\u2019s key to impersonate the bot and send messages to any Telegram user.&nbsp;<\/p>\n\n\n\n<p>By feeding the bot token into third-party tools like&nbsp;<strong>Matkap<\/strong>, threat hunters can automate the retrieval of all data exchanged through the bot, ranging from communications to encrypted files, and even victims\u2019 encryption or decryption keys, as long as they were sent to or received from the bot.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"710\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/8-1024x710.jpg\" alt=\"\" class=\"wp-image-13032\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/8-1024x710.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/8-300x208.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/8-768x533.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/8-370x257.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/8-270x187.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/8-740x513.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/8.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 9<\/strong>. Recon routines on PE32&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">A Chaotic Codebase&nbsp;<\/h3>\n\n\n\n<p>Beyond its network behavior, PE32 operates like a typical ransomware strain. It collects system information such as the computer\u2019s&nbsp;GUID,&nbsp;hostname,&nbsp;software policy settings, and&nbsp;supported languages, a common technique used to avoid infecting machines in specific regions, likely to minimize legal consequences.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"835\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/9-1024x835.jpg\" alt=\"\" class=\"wp-image-13035\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/9-1024x835.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/9-300x245.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/9-768x626.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/9-370x302.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/9-270x220.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/9-740x603.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/9.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 10<\/strong>. False (but not false) positives arise from PE32\u2019s chaotic behavior<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>PE32\u2019s untidy nature makes it somewhat difficult to read and profile. For instance, it places a file named \u201cpe32lockfile.lock\u201d in every locked folder, likely as a flag indicating \u201cI was here already.\u201d&nbsp;<\/p>\n\n\n\n<p>But when dropping the \u201cpe32lockfile.lock\u201d file in directories like the ones belonging to Skype, Firefox or Chrome, it trips a good portion of detection rules, so it\u2019s a behaviour worth nothing.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"835\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/10-1024x835.jpg\" alt=\"\" class=\"wp-image-13036\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/10-1024x835.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/10-300x245.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/10-768x626.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/10-370x302.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/10-270x220.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/10-740x603.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/10.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 11<\/strong>. PE32\u2019s reckless encryption cycle triggers chkdsk.exe to run<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The chaos doesn\u2019t stop there. PE32 also drops&nbsp;C:\\bootTel.dat, a legitimate&nbsp;Windows telemetry file&nbsp;associated with&nbsp;chkdsk.exe&nbsp;(Disk Checker). Although harmless on its own, the creation of this file is directly tied to the ransomware\u2019s activity.&nbsp;<\/p>\n\n\n\n<p>By aggressively encrypting files across the&nbsp;C:\\&nbsp;drive, including&nbsp;non-critical system files, PE32 ends up triggering the disk repair utility. While it doesn\u2019t halt system functionality, it does cause&nbsp;Windows to initiate self-repair checks, providing an additional footprint of the malware\u2019s presence.&nbsp;<\/p>\n\n\n\n<p>With this, we now have additional indicators of PE32\u2019s activity.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"537\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/11-1024x537.jpg\" alt=\"\" class=\"wp-image-13039\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/11-1024x537.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/11-300x157.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/11-768x403.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/11-370x194.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/11-270x142.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/11-740x388.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/11.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 12.<\/strong> Useless files being encrypted, such as Chrome language files for Portuguese, Romanian and Russian<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>PE32 shows no logic in file selection. It encrypts everything in sight, regardless of extension or value. Chrome\u2019s language packs (messages.json), static resources like&nbsp;.gif&nbsp;and&nbsp;.css&nbsp;files, and even incomplete extension data are all locked without discrimination.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"539\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/12-1024x539.jpg\" alt=\"\" class=\"wp-image-13041\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/12-1024x539.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/12-300x158.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/12-768x404.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/12-370x195.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/12-270x142.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/12-740x390.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/12.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 12<\/strong>. ANYRUN allows to inspect libraries loaded and unloaded by a malware process&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>On the technical side, PE32 keeps things simple. There\u2019s no use of exotic libraries or obfuscated function calls.&nbsp;It relies on the classic combo of ntdll.dll and kernel32.dll to execute processes and manipulate files, while crypt32.dll and bcrypt.dll handle encryption. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"246\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/13-1024x246.jpg\" alt=\"\" class=\"wp-image-13057\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/13-1024x246.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/13-300x72.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/13-768x185.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/13-370x89.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/13-270x65.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/13-740x178.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/13.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Image 13. ANYRUN automatic ATT&amp;CK Matrix<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It depends on schannel.dll, Windows\u2019 native TLS\/SSL to reach its C2 channel using HTTPS, and that\u2019s it. Plain and simple!&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nFollow along a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">TTPs &amp; IOCs&nbsp;<\/h2>\n\n\n\n<p>Dissecting PE32 is challenging due to its unpredictable and erratic behavior. The ransomware triggers numerous detections, some legitimate, others the result of its careless execution, which can complicate analysis and lead to false trails.&nbsp;<\/p>\n\n\n\n<p>Fortunately, ANY.RUN\u2019s automatic <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">ATT&amp;CK matrix<\/a> and IOC collection make this task significantly easier. These features help analysts quickly identify behaviors and map them to known techniques, significantly reducing investigation time.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"712\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/14-1024x712.jpg\" alt=\"\" class=\"wp-image-13060\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/14-1024x712.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/14-300x209.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/14-768x534.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/14-370x257.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/14-270x188.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/14-740x515.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/14.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 14<\/strong>. Telegram communication inside ANYRUN\u2019s ATT&amp;CK Matrix<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>One of the most notable techniques observed is&nbsp;T1102 \u2013 Web Service Communication, specifically communication via&nbsp;Telegram. Although not the most advanced tactic, it provides a clear indication of PE32\u2019s reliance on a basic and exposed C2 channel.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"713\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/15-1024x713.jpg\" alt=\"\" class=\"wp-image-13062\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/15-1024x713.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/15-300x209.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/15-768x535.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/15-370x258.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/15-270x188.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/15-740x515.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/15.jpg 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em><strong>Image 16<\/strong>. PE32 encrypting Skype folder as seen by ANYRUN\u2019s ATT&amp;CK Matrix<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This behavior aligns with early-stage or poorly maintained ransomware, which typically lacks data exfiltration capabilities and instead focuses solely on encryption and basic status reporting. In this context, T1102 serves as a valuable early signal for identifying similar threats in the wild.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">PE32 Threat Impact&nbsp;<\/h2>\n\n\n\n<p>The PE32 ransomware campaign introduces notable risks despite its unsophisticated design:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For end users<\/strong>: Victims face potential data loss, system instability, and financial pressure from ransom demands. The dual-payment model adds further psychological manipulation by threatening data exposure.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For organizations<\/strong>: While PE32 currently lacks data exfiltration, its ability to disrupt operations, encrypt shared resources, and leave behind recoverable indicators (e.g., lock files, telemetry triggers) makes it a growing concern, especially if it evolves.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For security teams<\/strong>: The use of Telegram as a C2 channel, combined with erratic behavior and non-selective encryption, can complicate detection and response. Its reliance on public communication channels also introduces new monitoring and containment challenges.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For the broader threat landscape<\/strong>: PE32 highlights a trend toward low-effort, fast-deploy ransomware strains, crafted with minimal obfuscation, relying on common tools, yet still capable of causing damage. Its open infrastructure and careless coding make it accessible for copycats and opportunistic attackers.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>The analysis of PE32 Ransomware reveals how even basic, poorly coded malware can disrupt systems, encrypt valuable data, and leverage public platforms like Telegram for command and control. &nbsp;<\/p>\n\n\n\n<p>While it lacks advanced evasion or data theft capabilities, PE32 reflects the growing trend of fast-deploy, low-effort ransomware strains that still pose a real threat to individuals and organizations.&nbsp;<\/p>\n\n\n\n<p>By analyzing PE32 in real time using&nbsp;<a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pe32_analysis&amp;utm_term=220425&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>, we were able to fully observe its execution flow, uncover its communication channels, and extract key artifacts, without relying solely on static reverse engineering.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how this kind of analysis brings value:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster threat detection<\/strong>: Catch suspicious encryption activity and exposed infrastructure early.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Full behavioral visibility<\/strong>: Monitor system changes, communication attempts, and encryption logic in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced investigation time<\/strong>: Quickly correlate observable behavior with known techniques and IOCs.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improved incident response<\/strong>: Collect and share actionable indicators across teams.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stronger threat intelligence<\/strong>: Identify attacker mistakes, such as hardcoded credentials and bot tokens.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=pe32_analysis&amp;utm_term=220425&amp;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noreferrer noopener\">Try ANY.RUN\u2019s Interactive Sandbox today<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Collect Indicators of Compromise<\/h2>\n\n\n\n<p><strong>SHA256<\/strong>:15cb6bd05a35fdbd9a7e53b092a1b0537c64cb5df08ee0262479c0cc24eafd8a&nbsp;<\/p>\n\n\n\n<p><strong>FilePath<\/strong>:C:\\PE32-KEY\\ID&nbsp;<\/p>\n\n\n\n<p><strong>SHA256<\/strong>:5946bdeb8b7bf0603e99cefb15c083a37352fa8a916b2664bbb9f9027f44985b&nbsp;<\/p>\n\n\n\n<p><strong>FilePath<\/strong>:C:\\PE32-KEY\\README.txt&nbsp;<\/p>\n\n\n\n<p><strong>SHA256<\/strong>:c6ddc9c2852eddf30f945a50183e28d38f6b9b1bbad01aac52e9d9539482a433&nbsp;<\/p>\n\n\n\n<p><strong>Filename<\/strong>:PE32.exe&nbsp;<\/p>\n\n\n\n<p><strong>SHA256<\/strong>:098ee778fca1bfd809499dac65f528ea727f2aee9c6eaf79fe662d9261086e4a&nbsp;<\/p>\n\n\n\n<p><strong>FilePath<\/strong>:C:\\PE32-KEY\\context.pe32c&nbsp;<\/p>\n\n\n\n<p><strong>SHA256<\/strong>:9e561018034479df1493addca30f1d031b9185e1d66f15333b8ea79d16acf64b&nbsp;<\/p>\n\n\n\n<p><strong>FilePath<\/strong>:C:\\PE32-KEY\\lock.pe32&nbsp;<\/p>\n\n\n\n<p><strong>References<\/strong>:&nbsp;<\/p>\n\n\n\n<p>Matkap tool: <a href=\"http:\/\/github.com\/0x6rss\/matkap\" target=\"_blank\" rel=\"noreferrer noopener\">github.com\/0x6rss\/matkap<\/a>&nbsp;<\/p>\n\n\n\n<p>Sandbox analysis: <a href=\"https:\/\/app.any.run\/tasks\/58b336b0-baec-48bb-9675-b2f3d352b63c\">https:\/\/app.any.run\/tasks\/58b336b0-baec-48bb-9675-b2f3d352b63c<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can&nbsp;find Mauro on X.&nbsp; There\u2019s no shortage of ransomware these days. It\u2019s everywhere, lurking in email attachments, hiding in cracked software, and making headlines almost daily. While some ransomware groups vanish or rebrand, new names step in to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":13079,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-12987","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Read technical analysis of PE32, a new ransomware strain that demands ransom for both decryption and not leaking stolen data.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/\"},\"author\":{\"name\":\"Mauro Eldritch\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0\",\"datePublished\":\"2025-04-22T10:04:35+00:00\",\"dateModified\":\"2025-05-12T14:04:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/\"},\"wordCount\":2052,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/\",\"name\":\"PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-04-22T10:04:35+00:00\",\"dateModified\":\"2025-05-12T14:04:25+00:00\",\"description\":\"Read technical analysis of PE32, a new ransomware strain that demands ransom for both decryption and not leaking stolen data.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"caption\":\"Mauro Eldritch\"},\"description\":\"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Read technical analysis of PE32, a new ransomware strain that demands ransom for both decryption and not leaking stolen data.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/","twitter_misc":{"Written by":"Mauro Eldritch","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/"},"author":{"name":"Mauro Eldritch","@id":"https:\/\/any.run\/"},"headline":"PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0","datePublished":"2025-04-22T10:04:35+00:00","dateModified":"2025-05-12T14:04:25+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/"},"wordCount":2052,"commentCount":2,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/","name":"PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-04-22T10:04:35+00:00","dateModified":"2025-05-12T14:04:25+00:00","description":"Read technical analysis of PE32, a new ransomware strain that demands ransom for both decryption and not leaking stolen data.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/pe32-ransomware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"PE32 Ransomware: A New Telegram-Based Threat on the Rise\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","caption":"Mauro Eldritch"},"description":"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12987"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=12987"}],"version-history":[{"count":71,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12987\/revisions"}],"predecessor-version":[{"id":13370,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/12987\/revisions\/13370"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/13079"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=12987"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=12987"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=12987"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}