File name:

ozon.exe

Full analysis: https://app.any.run/tasks/741ad4d1-5e37-469c-a9fb-0371a7541f0f
Verdict: Malicious activity
Threats:

Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.

Malware Trends Tracker     >>>
Analysis date: September 26, 2024, 07:24:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
exfiltration
mallox
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

8F066E822DBFE85CB14B47CE2FDAE732

SHA1:

DCDFB00359036045C01562C53AEEDB4EA0F178F0

SHA256:

08998912A7096E621F3C90C23C3340D4D9608BBFE171F451A4B961CD56EACC73

SSDEEP:

12288:eDF9xOKs+/L0jZ0Li6oh0Ax5DTXf+uCHS9asU+XG2HTN:eBLOKbL0Ca1hGvSpHT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ozon.exe (PID: 5060)

    • Reads the date of Windows installation

      • ozon.exe (PID: 5060)

    • Creates file in the systems drive root

      • ozon.exe (PID: 5060)

    • Connects to unusual port

      • ozon.exe (PID: 5060)

  • INFO

    • Reads the computer name

      • ozon.exe (PID: 5060)

    • Checks supported languages

      • ozon.exe (PID: 5060)

    • Reads the machine GUID from the registry

      • ozon.exe (PID: 5060)

    • The process uses the downloaded file

      • ozon.exe (PID: 5060)

    • Create files in a temporary directory

      • ozon.exe (PID: 5060)

    • Process checks computer location settings

      • ozon.exe (PID: 5060)

    • Sends debugging messages

      • ozon.exe (PID: 5060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:27 11:11:27+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 333312
InitializedDataSize: 183296
UninitializedDataSize: -
EntryPoint: 0x2cbe4
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ozon.exe

Process information

PID
CMD
Path
Indicators
Parent process
5060"C:\Users\admin\AppData\Local\Temp\ozon.exe" C:\Users\admin\AppData\Local\Temp\ozon.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\ozon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
712
Read events
712
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1 311
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5060ozon.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\HOW TO BACK FILES.txtbinary
MD5:B4B835B76B5A9BAF4E575C4689F3B87D
SHA256:F1BC9626EF45DC8D4C899FEA86211DEFE9AB6E290E5AC525155E94A45B4345D7
5060ozon.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\HOW TO BACK FILES.txtbinary
MD5:B4B835B76B5A9BAF4E575C4689F3B87D
SHA256:F1BC9626EF45DC8D4C899FEA86211DEFE9AB6E290E5AC525155E94A45B4345D7
5060ozon.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\HOW TO BACK FILES.txtbinary
MD5:B4B835B76B5A9BAF4E575C4689F3B87D
SHA256:F1BC9626EF45DC8D4C899FEA86211DEFE9AB6E290E5AC525155E94A45B4345D7
5060ozon.exeC:\Users\admin\.ms-ad\HOW TO BACK FILES.txtbinary
MD5:B4B835B76B5A9BAF4E575C4689F3B87D
SHA256:F1BC9626EF45DC8D4C899FEA86211DEFE9AB6E290E5AC525155E94A45B4345D7
5060ozon.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\HOW TO BACK FILES.txtbinary
MD5:B4B835B76B5A9BAF4E575C4689F3B87D
SHA256:F1BC9626EF45DC8D4C899FEA86211DEFE9AB6E290E5AC525155E94A45B4345D7
5060ozon.exeC:\Users\admin\Contacts\HOW TO BACK FILES.txtbinary
MD5:B4B835B76B5A9BAF4E575C4689F3B87D
SHA256:F1BC9626EF45DC8D4C899FEA86211DEFE9AB6E290E5AC525155E94A45B4345D7
5060ozon.exeC:\bootTel.datbinary
MD5:BD7F332B31756A98058068552FB2EC9E
SHA256:F2F205BFE2618C2E3DA73D591381188982D98ED52FCBA3C0D4C051E190C2711D
5060ozon.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\BWED82MR.txttext
MD5:0286566F098F89E408351AECF637FB19
SHA256:CECF3FF8EF38CE1843D45ABA48BFA68FC732DD2E7873CB7EBBDE370D9B0D3E5B
5060ozon.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\DNTException\HOW TO BACK FILES.txtbinary
MD5:B4B835B76B5A9BAF4E575C4689F3B87D
SHA256:F1BC9626EF45DC8D4C899FEA86211DEFE9AB6E290E5AC525155E94A45B4345D7
5060ozon.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\Low\ESE\HOW TO BACK FILES.txtbinary
MD5:B4B835B76B5A9BAF4E575C4689F3B87D
SHA256:F1BC9626EF45DC8D4C899FEA86211DEFE9AB6E290E5AC525155E94A45B4345D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
53
DNS requests
14
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
172.67.74.152:80
http://api.ipify.org/
unknown
whitelisted
5768
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5532
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
POST
200
91.215.85.135:80
http://91.215.85.135/QWEwqdsvsf/ap.php
unknown
unknown
5532
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5376
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5768
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.208.16.91:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:138
whitelisted
172.67.74.152:80
api.ipify.org
CLOUDFLARENET
US
shared
91.215.85.135:80
RU
malicious
5768
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5768
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.46
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.13.205
  • 104.26.12.205
shared
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.4
  • 20.190.159.73
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
  • 52.165.165.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup api.ipify.org
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Host Name Exfiltration Atempt
A Network Trojan was detected
ET MALWARE Win32/Filecoder.OJC CnC Checkin
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Process
Message
ozon.exe
No permission: \\.\C:\$WinREAgent
ozon.exe
No permission: \\.\C:\$WinREAgent
ozon.exe
No permission: \\.\C:\bootmgr
ozon.exe
No permission: \\.\C:\bootmgr
ozon.exe
No permission: \\.\C:\BOOTNXT
ozon.exe
No permission: \\.\C:\BOOTNXT
ozon.exe
No permission: \\.\C:\Documents and Settings
ozon.exe
No permission: \\.\C:\Documents and Settings
ozon.exe
In use another process: \\.\C:\DumpStack.log.tmp
ozon.exe
In use another process: \\.\C:\DumpStack.log.tmp
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ozon.exe