File name:

v.bin

Full analysis: https://app.any.run/tasks/227c55c4-5c03-4ddd-a748-5bad57e69994
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 25, 2023, 11:09:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

85A3936612C12269B47F33930F990E8A

SHA1:

2762209E26E7DA7FA4FAF2359366B835639159EA

SHA256:

189EB8CF2EF8043E6438A8618710A07A7C020E77D6BCDD2D561BC50E073BCD83

SSDEEP:

3072:po28gotMjuneUUWM5M/j45mtjv7TpSc6ne98jqFZEIViH0EOxvR4HpMfpRnR+6hg:a28lMajU2j45mN7TpSc6O86VE0XBFrg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Renames files like ransomware

      • v.bin.exe (PID: 5592)

    • Actions looks like stealing of personal data

      • v.bin.exe (PID: 5592)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • v.bin.exe (PID: 5592)

    • Manual execution by a user

      • notepad++.exe (PID: 636)

    • Dropped object may contain TOR URL's

      • v.bin.exe (PID: 5592)

    • Drops the executable file immediately after the start

      • v.bin.exe (PID: 5592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:12:25 10:53:39+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 76288
InitializedDataSize: 85504
UninitializedDataSize: -
EntryPoint: 0x403e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start v.bin.exe conhost.exe no specs rundll32.exe no specs notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
636"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\debtrange.png.ENC"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
5252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exev.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5272C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
5592"C:\Users\admin\Desktop\v.bin.exe" C:\Users\admin\Desktop\v.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\v.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
178
Read events
178
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3 257
Text files
47
Unknown types
52

Dropped files

PID
Process
Filename
Type
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dllbinary
MD5:C2C5E072AE0CAFC7A8DB85129B05A3B8
SHA256:1A2812DEF725B88BFB88F60CA2507E6EFC13373F26EED8A3A692C648FF4E4998
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dllbinary
MD5:1472E750119DF244AE65AFCFCF92FDD6
SHA256:6F94E9541CE252A35DCFC24A0E24AB356B0F41A73FA82D50A77FB8646FD365F0
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dllbinary
MD5:7CFE2A0423BA9C5CBAEB201A89CE17FA
SHA256:9E8231903717CA8320113BE8C7DEE97DF7F5C88A5B05BF5666C4172CA7A32640
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dllbinary
MD5:71FB030D174A3A1BBDB8ABCA34A815F5
SHA256:81CA32773484088EE48A5AFD07EA10E4B20EE9311547B3794C5D95DD0D511456
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dllbinary
MD5:31D6113B32225B2BC9BCA8F5E8BBC4D4
SHA256:51B88F92F223999AF75B7728A7BC93FC1B88A57C8E3B8229A63B50580C1CFA62
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dllbinary
MD5:17A6913CEC82CD2579DBE39AABFEB438
SHA256:D8119907F93B3096B36FD1A05D969E9DB920BFD47D8A9187BB6A5C79CC93F2DB
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dllbinary
MD5:5E03A7EC1B4954DEEA27A30300D41755
SHA256:73D6E9D924627FCE936169ABFA14BC2B28D0BC3024F659D9FB1C2BC4D94C5A8E
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dllbinary
MD5:C37FF25CA90FC501C7806D6AEA254A61
SHA256:70581808141EC655CCBBAAAD97108470D7EAE7EBE6C2E711BA493F78912546DA
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dllbinary
MD5:70477361CDAD452712691640C43695F2
SHA256:2BCF8BADACDB918B3964124C1FCDB0F928D35A18A42D7C899CE3634E554A3C4D
5592v.bin.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dllbinary
MD5:BF58218C14057CAF88B907F2ABEC6293
SHA256:95425193C21DC2CADE96873F818B02A26939C3C43E057C9A3A7EEC9B43C89358
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
40
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
5140
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
4136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
4136
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1092
svchost.exe
POST
302
23.35.238.131:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
5140
svchost.exe
20.190.160.22:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1092
svchost.exe
23.35.238.131:80
go.microsoft.com
AKAMAI-AS
DE
unknown
1092
svchost.exe
52.142.223.178:80
dmd.metaservices.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5612
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4136
SIHClient.exe
52.165.165.26:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4136
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1092
svchost.exe
138.91.171.81:80
dmd.metaservices.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
dmd.metaservices.microsoft.com
  • 52.142.223.178
  • 138.91.171.81
  • 20.231.121.79
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: error while getting certificate informations
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled