analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Aksip.exe

Full analysis: https://app.any.run/tasks/4b962007-b89f-4fcb-b693-8ee6c012baef
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 23:03:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
zeppelin
evasion
trojan
buran
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

61506482DDD28756E443B3DE05A3B1CF

SHA1:

8D7EFFB5A456289D13F725486A30BED727A01BE0

SHA256:

15E3107A2C30DA16832DB6F9CDADD38C7A202D72B6A43899B9642D3B695D6F50

SSDEEP:

6144:lulpMmWxFAppqxH1Hj1uJGEYpxQoCM4TU79zJlDpIafgul3:klp8Huqv8YTQoC9U7HlDpZY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZEPPELIN was detected

      • Aksip.exe (PID: 3332)
      • taskeng.exe (PID: 4084)

    • Changes the autorun value in the registry

      • Aksip.exe (PID: 3332)

    • BURAN was detected

      • taskeng.exe (PID: 4084)

    • Deletes shadow copies

      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 1352)
      • cmd.exe (PID: 3820)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 1904)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 3032)

    • Changes settings of System certificates

      • WuSetupV.exe (PID: 1256)
      • taskeng.exe (PID: 4084)
      • Aksip.exe (PID: 3332)

    • Application was dropped or rewritten from another process

      • WuSetupV.exe (PID: 1256)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • Aksip.exe (PID: 3332)
      • taskeng.exe (PID: 4084)

    • Creates files in the user directory

      • Aksip.exe (PID: 3332)

    • Starts itself from another location

      • Aksip.exe (PID: 3332)

    • Executable content was dropped or overwritten

      • Aksip.exe (PID: 3332)

    • Starts CMD.EXE for commands execution

      • taskeng.exe (PID: 4084)

    • Application launched itself

      • taskeng.exe (PID: 4084)

    • Executed via COM

      • vdsldr.exe (PID: 1196)
      • DllHost.exe (PID: 2588)
      • DllHost.exe (PID: 3888)

    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 3032)
      • vds.exe (PID: 3020)

    • Creates files in the Windows directory

      • wbadmin.exe (PID: 3924)

    • Executed as Windows Service

      • wbengine.exe (PID: 3032)
      • vssvc.exe (PID: 1440)
      • vds.exe (PID: 3020)

    • Creates files in the program directory

      • taskeng.exe (PID: 3868)

    • Adds / modifies Windows certificates

      • taskeng.exe (PID: 4084)
      • Aksip.exe (PID: 3332)

  • INFO

    • Reads settings of System Certificates

      • taskeng.exe (PID: 4084)

    • Dropped object may contain Bitcoin addresses

      • taskeng.exe (PID: 3868)

    • Manual execution by user

      • WINWORD.EXE (PID: 3504)
      • taskmgr.exe (PID: 2644)
      • chrome.exe (PID: 3276)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3504)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3504)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1440)

    • Reads the hosts file

      • chrome.exe (PID: 3276)
      • chrome.exe (PID: 2908)

    • Application launched itself

      • chrome.exe (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Clipper DOS Executable (2.6)

EXIF

EXE

FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: Debug
FileFlagsMask: 0x003f
ProductVersionNumber: 28.0.0.0
FileVersionNumber: 28.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x2a8d0
UninitializedDataSize: -
InitializedDataSize: 107520
CodeSize: 310272
LinkerVersion: 9
PEType: PE32
TimeStamp: 2019:07:03 14:20:21+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Jul-2019 12:20:21
Detected languages:
  • Portuguese - Brazil

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 03-Jul-2019 12:20:21
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0004BB99
0x0004BC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.34393
.data
0x0004D000
0x00013638
0x00003400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.62231
.tls
0x00061000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00062000
0x000D9C50
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.39979
.reloc
0x0013C000
0x00003A56
0x00003C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.94358

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.86623
212
UNKNOWN
UNKNOWN
RT_VERSION
2
2.697
3752
UNKNOWN
UNKNOWN
RT_CURSOR
3
3.76287
2216
UNKNOWN
UNKNOWN
RT_CURSOR
18
2.48721
118
UNKNOWN
UNKNOWN
RT_STRING
119
1.7815
20
UNKNOWN
Portuguese - Brazil
RT_GROUP_ICON
142
2.5
16
UNKNOWN
UNKNOWN
RT_ACCELERATOR
295
1
2
UNKNOWN
UNKNOWN
AFX_DIALOG_LAYOUT
2344
2.36486
34
UNKNOWN
UNKNOWN
RT_GROUP_CURSOR

Imports

KERNEL32.dll
USER32.dll

Exports

Title
Ordinal
Address
@dfyldfg@0
1
0x000443C7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
57
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start #ZEPPELIN aksip.exe #ZEPPELIN taskeng.exe notepad.exe no specs taskeng.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs cmd.exe no specs wbadmin.exe no specs cmd.exe no specs wbadmin.exe no specs cmd.exe no specs wbadmin.exe no specs cmd.exe no specs wmic.exe no specs vssvc.exe no specs cmd.exe no specs vssadmin.exe no specs taskmgr.exe no specs winword.exe no specs PhotoViewer.dll no specs Windows Parental Controls no specs wusetupv.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Users\admin\AppData\Local\Temp\Aksip.exe" C:\Users\admin\AppData\Local\Temp\Aksip.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4084"C:\Users\admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -startC:\Users\admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
Aksip.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1073807364
2568notepad.exeC:\Windows\system32\notepad.exeAksip.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
3735943886
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3868"C:\Users\admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0C:\Users\admin\AppData\Roaming\Microsoft\Windows\taskeng.exetaskeng.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1073807364
2888"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\cmd.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3844bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1904"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled noC:\Windows\system32\cmd.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2860bcdedit /set {default} recoveryenabled noC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2092"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quietC:\Windows\system32\cmd.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3924wbadmin delete catalog -quietC:\Windows\system32\wbadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
7 128
Read events
1 442
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
10 077
Text files
1 532
Unknown types
26

Dropped files

PID
Process
Filename
Type
3332Aksip.exeC:\Users\admin\AppData\Local\Temp\Cab9497.tmp
MD5:
SHA256:
3332Aksip.exeC:\Users\admin\AppData\Local\Temp\Tar9498.tmp
MD5:
SHA256:
4084taskeng.exeC:\Users\admin\AppData\Local\Temp\CabAE3A.tmp
MD5:
SHA256:
4084taskeng.exeC:\Users\admin\AppData\Local\Temp\TarAE3B.tmp
MD5:
SHA256:
3868taskeng.exeC:\Program Files\Adobe\Acrobat Reader DC\Benioku.htm
MD5:
SHA256:
3868taskeng.exeC:\Program Files\Adobe\Acrobat Reader DC\Berime.htm
MD5:
SHA256:
3332Aksip.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBder
MD5:00CE35FBDEFA0AD708626F93B06480DC
SHA256:4C7C126A69D9C29C3320B651631C776C94018A3BF37E8096808FFF968EF33C6D
3332Aksip.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEbinary
MD5:83EE5F260F4F7BD4EBC19ECB1CCF9B70
SHA256:E33F64B9A6E00F600336A77270BC3C5B6EA58AFD251745A510086DE47C3EFB4D
3332Aksip.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9Bbinary
MD5:DA6ABDDF7F58903A18B1B3816CA591FF
SHA256:055EB9008729D893EF74674D62E99D4F4D4B24753146F3E2D860D4AB847A6651
3332Aksip.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9Bder
MD5:16351BC92441876E7107DB335595D0FF
SHA256:37D89976D154109BEF1DAA2212444E1CEA676F942BF08BC00EEAF9C30633259E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
34
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3332
Aksip.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
3332
Aksip.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEQCTi7COYph7T3X5jLalBFyW
US
der
728 b
whitelisted
3332
Aksip.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRyyuDOSqb8BtprWZSAvBT9kFoYdwQU%2BftQxItnu2dk%2FoMhpqnOP1WEk5kCECn0cOfWR0Lw3C9ArRRVmXM%3D
US
der
471 b
whitelisted
HEAD
200
205.185.216.42:80
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2002212305
US
whitelisted
HEAD
200
13.107.4.50:80
http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/wsus3setup.cab?2002212305
US
whitelisted
4084
taskeng.exe
GET
200
195.138.255.16:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
DE
der
1.37 Kb
whitelisted
4084
taskeng.exe
GET
200
195.138.255.17:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPAlKDFmOROcYdKkShFZ3AtUQ%3D%3D
DE
der
527 b
whitelisted
2908
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
518 b
whitelisted
4084
taskeng.exe
GET
301
158.69.65.151:80
http://geoiptool.com/
CA
html
184 b
whitelisted
GET
200
13.107.4.50:80
http://ds.download.windowsupdate.com/v11/3/windowsupdate/selfupdate/WSUS3/x86/Win7SP1/WuSetupHandler.cab?2002212306
US
compressed
61.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4084
taskeng.exe
88.99.66.31:80
iplogger.org
Hetzner Online GmbH
DE
malicious
4084
taskeng.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
4084
taskeng.exe
195.138.255.17:80
ocsp.int-x3.letsencrypt.org
AS33891 Netzbetrieb GmbH
DE
whitelisted
3332
Aksip.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
4084
taskeng.exe
195.138.255.16:80
isrg.trustid.ocsp.identrust.com
AS33891 Netzbetrieb GmbH
DE
suspicious
205.185.216.42:80
download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3332
Aksip.exe
158.69.65.151:80
geoiptool.com
OVH SAS
CA
suspicious
40.91.124.111:443
www.update.microsoft.com
Microsoft Corporation
US
unknown
4084
taskeng.exe
158.69.65.151:443
geoiptool.com
OVH SAS
CA
suspicious
4084
taskeng.exe
158.69.65.151:80
geoiptool.com
OVH SAS
CA
suspicious

DNS requests

Domain
IP
Reputation
geoiptool.com
  • 158.69.65.151
whitelisted
www.geodatatool.com
  • 158.69.65.151
suspicious
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
iplogger.org
  • 88.99.66.31
shared
isrg.trustid.ocsp.identrust.com
  • 195.138.255.16
  • 195.138.255.24
whitelisted
ocsp.int-x3.letsencrypt.org
  • 195.138.255.17
  • 195.138.255.16
whitelisted
download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted
www.update.microsoft.com
  • 40.91.124.111
  • 13.64.25.102
whitelisted
ds.download.windowsupdate.com
  • 13.107.4.50
whitelisted
clientservices.googleapis.com
  • 172.217.22.3
whitelisted

Threats

PID
Process
Class
Message
3332
Aksip.exe
Potential Corporate Privacy Violation
ET POLICY Geo Location IP info online service (geoiptool.com)
4084
taskeng.exe
Potential Corporate Privacy Violation
ET POLICY Geo Location IP info online service (geoiptool.com)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Aksip.exe