analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe |
| Full analysis: | https://app.any.run/tasks/ba79be65-a858-47d4-809a-f21a9e931e93 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | February 07, 2024 at 14:41:16 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | EA6D3083F8C1C506FBFF457BF09A7ED8 |
| SHA1: | F159C4FC7D13571E725F0AE9E0749C77CF859B4E |
| SHA256: | 000DB71531E5AA8B30594D305BB3FBCE8E2C71F66E2170091EF58B3C1F306F46 |
| SSDEEP: | 768:ryVHL0Nw1ALXbLwHi/WEhFOYQj7zs7ERdxmEeY9e1H6ZRP5NPMkFsp5Jz:rymNrLwC/WPYQ3CUXeYA1H6ZN0ke |
MALICIOUS
Create files in the Startup directory
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Deletes shadow copies
- cmd.exe (PID: 2684)
Changes the autorun value in the registry
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2652)
Drops the executable file immediately after the start
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2652)
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Using BCDEDIT.EXE to modify recovery options
- cmd.exe (PID: 2684)
Actions looks like stealing of personal data
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Renames files like ransomware
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
SUSPICIOUS
Starts CMD.EXE for commands execution
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Application launched itself
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2652)
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2248)
Uses NETSH.EXE to change the status of the firewall
- cmd.exe (PID: 2496)
Reads security settings of Internet Explorer
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2248)
Executable content was dropped or overwritten
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Reads the Internet Settings
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2248)
- WMIC.exe (PID: 2116)
Executes as Windows Service
- VSSVC.exe (PID: 1240)
- wbengine.exe (PID: 272)
- vds.exe (PID: 924)
Reads browser cookies
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Process drops legitimate windows executable
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
INFO
Checks supported languages
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2652)
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2248)
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Reads the computer name
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2248)
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 2652)
Creates files in the program directory
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Creates files or folders in the user directory
- 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe (PID: 1776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:03:31 16:17:25+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 34304 |
| InitializedDataSize: | 15872 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2fa7 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
56
Monitored processes
16
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 272 | "C:\Windows\system32\wbengine.exe" | C:\Windows\System32\wbengine.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Block Level Backup Engine Service EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 872 | vssadmin delete shadows /all /quiet | C:\Windows\System32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 924 | C:\Windows\System32\vds.exe | C:\Windows\System32\vds.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1064 | netsh firewall set opmode mode=disable | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1240 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1496 | netsh advfirewall set currentprofile state off | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1668 | wbadmin delete catalog -quiet | C:\Windows\System32\wbadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® BLB Backup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1776 | "C:\Users\admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe" | C:\Users\admin\AppData\Local\Temp\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1852 | bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\System32\bcdedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2116 | wmic shadowcopy delete | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
4 542
Read events
4 420
Write events
122
Delete events
0
Modification events
| (PID) Process: | (2248) 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2248) 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2248) 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2248) 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1776) 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run |
| Operation: | write | Name: | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 |
Value: C:\Users\admin\AppData\Local\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | |||
| (PID) Process: | (1776) 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46 |
Value: C:\Users\admin\AppData\Local\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | |||
| (PID) Process: | (1496) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1496) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-100 |
Value: DHCP Quarantine Enforcement Client | |||
| (PID) Process: | (1496) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-101 |
Value: Provides DHCP based enforcement for NAP | |||
| (PID) Process: | (1496) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E |
| Operation: | write | Name: | @%SystemRoot%\system32\dhcpqec.dll,-103 |
Value: 1.0 | |||
Executable files
183
Suspicious files
2 893
Text files
2
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\MSOCache\All Users\{90140000-0015-0407-1000-0000000FF1CE}-C\AccLR.cab.id[7CD9E0E6-2803].[HenryShrapnel61@gmx.com].eight | — | |
MD5:— | SHA256:— | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\MSOCache\All Users\{90140000-0015-040C-1000-0000000FF1CE}-C\AccLR.cab.id[7CD9E0E6-2803].[HenryShrapnel61@gmx.com].eight | — | |
MD5:— | SHA256:— | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\MSOCache\All Users\{90140000-0015-0410-1000-0000000FF1CE}-C\AccLR.cab.id[7CD9E0E6-2803].[HenryShrapnel61@gmx.com].eight | — | |
MD5:— | SHA256:— | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\Users\admin\AppData\Local\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | executable | |
MD5:EA6D3083F8C1C506FBFF457BF09A7ED8 | SHA256:000DB71531E5AA8B30594D305BB3FBCE8E2C71F66E2170091EF58B3C1F306F46 | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\MSOCache\All Users\{90140000-0015-0407-1000-0000000FF1CE}-C\AccessMUI.xml.id[7CD9E0E6-2803].[HenryShrapnel61@gmx.com].eight | binary | |
MD5:52D090D28D50D6BE94E4BB79C8F38E9F | SHA256:7FF1D3BD07DFAAEDAE4D32121EA845324EE5633525A424AA706647A58BFAA4E7 | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\MSOCache\All Users\{90140000-0015-0411-1000-0000000FF1CE}-C\AccLR.cab.id[7CD9E0E6-2803].[HenryShrapnel61@gmx.com].eight | — | |
MD5:— | SHA256:— | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\found.000\file0000.chk.id[7CD9E0E6-2803].[HenryShrapnel61@gmx.com].eight | binary | |
MD5:20DC33315FF7B2EBABEE3EAE346A575D | SHA256:FD26354395C1412225A998E3971207860398636BBC0A8F0CDAB18C23F94D323A | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\$Recycle.Bin\S-1-5-21-3896776584-4254864009-862391680-1000\desktop.ini.id[7CD9E0E6-2803].[HenryShrapnel61@gmx.com].eight | binary | |
MD5:A82E85880EE2D6A280E702AE8BE980E2 | SHA256:8A8C625E03BCC7FF9C056044D0CCC8E9CD07FEF83106EAE4DDFE678BEAE63ACC | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | executable | |
MD5:EA6D3083F8C1C506FBFF457BF09A7ED8 | SHA256:000DB71531E5AA8B30594D305BB3FBCE8E2C71F66E2170091EF58B3C1F306F46 | |||
| 1776 | 000db71531e5aa8b30594d305bb3fbce8e2c71f66e2170091ef58b3c1f306f46.exe | C:\$Recycle.Bin\S-1-5-21-3896776584-4254864009-862391680-500\desktop.ini.id[7CD9E0E6-2803].[HenryShrapnel61@gmx.com].eight | binary | |
MD5:49B2284643F0F7C1808328E3DC6AC82C | SHA256:28C8D6259A717DC44057162B7EFDB5B6B00011B081DF32A4E78E2CCE641BBE59 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1220 | svchost.exe | 239.255.255.250:3702 | — | — | — | unknown |
352 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |