File name:

v.bin

Full analysis: https://app.any.run/tasks/227c55c4-5c03-4ddd-a748-5bad57e69994
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 25, 2023, 11:09:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

85A3936612C12269B47F33930F990E8A

SHA1:

2762209E26E7DA7FA4FAF2359366B835639159EA

SHA256:

189EB8CF2EF8043E6438A8618710A07A7C020E77D6BCDD2D561BC50E073BCD83

SSDEEP:

3072:po28gotMjuneUUWM5M/j45mtjv7TpSc6ne98jqFZEIViH0EOxvR4HpMfpRnR+6hg:a28lMajU2j45mN7TpSc6O86VE0XBFrg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • v.bin.exe (PID: 5592)

    • Actions looks like stealing of personal data

      • v.bin.exe (PID: 5592)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • v.bin.exe (PID: 5592)

    • Manual execution by a user

      • notepad++.exe (PID: 636)

    • Dropped object may contain TOR URL's

      • v.bin.exe (PID: 5592)

    • Drops the executable file immediately after the start

      • v.bin.exe (PID: 5592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:12:25 10:53:39+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 76288
InitializedDataSize: 85504
UninitializedDataSize: -
EntryPoint: 0x403e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start v.bin.exe conhost.exe no specs rundll32.exe no specs notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
636"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\debtrange.png.ENC"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
5252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exev.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5272C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5592"C:\Users\admin\Desktop\v.bin.exe" C:\Users\admin\Desktop\v.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\v.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
178
Read events
178
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3 257
Text files
47
Unknown types
52

Dropped files

PID
Process
Filename
Type
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dllbinary
MD5:977508546EB2983F03DC74B8581CFBBD
SHA256:74434F972F6CC9902FBFCC60EA0B25A247221380EFDDEA28111757B5D3819FA6
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dllbinary
MD5:5E03A7EC1B4954DEEA27A30300D41755
SHA256:73D6E9D924627FCE936169ABFA14BC2B28D0BC3024F659D9FB1C2BC4D94C5A8E
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dllbinary
MD5:17A6913CEC82CD2579DBE39AABFEB438
SHA256:D8119907F93B3096B36FD1A05D969E9DB920BFD47D8A9187BB6A5C79CC93F2DB
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dllbinary
MD5:245D4618BDECD1659D1B7CA7E4E5B1E1
SHA256:AAD60FE2067D31F664B6BC16C6E14E5858BED2F4B40D749B9F8740D23F0E3F57
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dllbinary
MD5:DD48B950C20E5AD0EE08EC29C5ED6280
SHA256:DC117C4AB3A560BFED05E5787EA0F9B3B815FD766BB5F9E33056D31A518605BC
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dllbinary
MD5:78CFC608260497B0846E97134A40A860
SHA256:2AB7293694DCBB5BF74F24032C3534B46D21C4CC857C54C30C76E95678940B72
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dllbinary
MD5:ADD72C1D43BDD8EC24D22686F339C5D5
SHA256:4FD47D082CD7392B24DC7CFAF79E878FDD83174BD04815DE84AC4A6BEDDDBF30
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dllbinary
MD5:2F9A69627C31295C44A9DD6815458130
SHA256:E28835D72DC530A8B7E2CCA5A86881BF710F1EA1EC25CEE1FB49A4F986E42381
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dllbinary
MD5:200BCB6D507A249EC50A02CBF559E585
SHA256:60ED5E176746F3941A137EB85FF1946FF2E70B2E0EB6889F42D8F5DB8A210AFE
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dllbinary
MD5:1472E750119DF244AE65AFCFCF92FDD6
SHA256:6F94E9541CE252A35DCFC24A0E24AB356B0F41A73FA82D50A77FB8646FD365F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
40
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
4136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
4136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
5140
svchost.exe
20.190.160.22:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1092
svchost.exe
23.35.238.131:80
go.microsoft.com
AKAMAI-AS
DE
unknown
1092
svchost.exe
52.142.223.178:80
dmd.metaservices.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5612
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4136
SIHClient.exe
52.165.165.26:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4136
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1092
svchost.exe
138.91.171.81:80
dmd.metaservices.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
dmd.metaservices.microsoft.com
  • 52.142.223.178
  • 138.91.171.81
  • 20.231.121.79
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: error while getting certificate informations
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled