| File name: | s.exe |
| Full analysis: | https://app.any.run/tasks/2e9f80a9-a63e-4352-9c4b-63eb843d6f91 |
| Verdict: | Malicious activity |
| Threats: | LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations. |
| Analysis date: | September 19, 2023, 09:06:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 0D9AEFD8DA622CAE66F03607B71E67E1 |
| SHA1: | 92D2F9E74D7A0F360331D8F4358156679E9BBB7C |
| SHA256: | 18DC4568B21F92864C4BA854ABE72F2A7CBF44D0856C9FDA30B3D2BFB1E96B53 |
| SSDEEP: | 3072:+qJogYkcSNm9V7DFpCwokPTxApWWPcmbsT:+q2kc4m9tDFpT/9ApV |
MALICIOUS
Known privilege escalation attack
- dllhost.exe (PID: 1468)
Renames files like ransomware
- s.exe (PID: 1240)
Steals credentials from Web Browsers
- s.exe (PID: 1240)
[YARA] LockBit is detected
- s.exe (PID: 1240)
Actions looks like stealing of personal data
- s.exe (PID: 1240)
SUSPICIOUS
Write to the desktop.ini file (may be used to cloak folders)
- s.exe (PID: 1240)
Creates files like ransomware instruction
- s.exe (PID: 1240)
Reads browser cookies
- s.exe (PID: 1240)
INFO
Reads the computer name
- s.exe (PID: 3024)
- s.exe (PID: 1240)
Checks supported languages
- s.exe (PID: 3024)
- s.exe (PID: 1240)
Reads the machine GUID from the registry
- s.exe (PID: 3024)
- s.exe (PID: 1240)
Checks transactions between databases Windows and Oracle
- s.exe (PID: 3024)
Creates files in the program directory
- s.exe (PID: 1240)
Creates files or folders in the user directory
- s.exe (PID: 1240)
Create files in a temporary directory
- s.exe (PID: 1240)
Dropped object may contain TOR URL's
- s.exe (PID: 1240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .dll | | | Win32 Dynamic Link Library (generic) (38.3) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (26.2) |
| .exe | | | Win16/32 Executable Delphi generic (12) |
| .exe | | | Generic Win/DOS Executable (11.6) |
| .exe | | | DOS Executable Generic (11.6) |
EXIF
EXE
| Subsystem: | Windows GUI |
|---|---|
| SubsystemVersion: | 5.1 |
| ImageVersion: | - |
| OSVersion: | 5.1 |
| EntryPoint: | 0x1946f |
| UninitializedDataSize: | - |
| InitializedDataSize: | 50688 |
| CodeSize: | 99328 |
| LinkerVersion: | 14.12 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, 32-bit |
| TimeStamp: | 2022:09:13 23:30:57+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1240 | "C:\Users\admin\AppData\Local\Temp\s.exe" | C:\Users\admin\AppData\Local\Temp\s.exe | dllhost.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1468 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3024 | "C:\Users\admin\AppData\Local\Temp\s.exe" | C:\Users\admin\AppData\Local\Temp\s.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
822
Read events
813
Write events
9
Delete events
0
Modification events
| (PID) Process: | (1468) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1468) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1468) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1468) dllhost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1240) s.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 113 | |||
Executable files
8
Suspicious files
1 093
Text files
817
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1240 | s.exe | C:\Users\Administrator\Saved Games\SvImAxSPk.README.txt | text | |
MD5:41FF7A56A30A6A5342D6DDE0BD9783B1 | SHA256:C401B53679BE89B14F8BFC93DBC927BE0F4761F9B8C3F39F1D6E146D06E50BEC | |||
| 1240 | s.exe | C:\Users\Administrator\Videos\SvImAxSPk.README.txt | text | |
MD5:41FF7A56A30A6A5342D6DDE0BD9783B1 | SHA256:C401B53679BE89B14F8BFC93DBC927BE0F4761F9B8C3F39F1D6E146D06E50BEC | |||
| 1240 | s.exe | C:\ProgramData\SvImAxSPk.ico | image | |
MD5:88D9337C4C9CFE2D9AFF8A2C718EC76B | SHA256:95E059EF72686460884B9AEA5C292C22917F75D56FE737D43BE440F82034F438 | |||
| 1240 | s.exe | C:\SvImAxSPk.README.txt | text | |
MD5:41FF7A56A30A6A5342D6DDE0BD9783B1 | SHA256:C401B53679BE89B14F8BFC93DBC927BE0F4761F9B8C3F39F1D6E146D06E50BEC | |||
| 1240 | s.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\HHHHHHHHHHH | binary | |
MD5:11A06AE970500CA9858ACA4D1C9BE341 | SHA256:CD180E1C0F5430CBEBE6F37F9F24AE12E785C2DEA8BBC77A8EB727675ADDD5E7 | |||
| 1240 | s.exe | C:\Users\Administrator\SvImAxSPk.README.txt | text | |
MD5:41FF7A56A30A6A5342D6DDE0BD9783B1 | SHA256:C401B53679BE89B14F8BFC93DBC927BE0F4761F9B8C3F39F1D6E146D06E50BEC | |||
| 1240 | s.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\CCCCCCCCCCC | binary | |
MD5:11A06AE970500CA9858ACA4D1C9BE341 | SHA256:CD180E1C0F5430CBEBE6F37F9F24AE12E785C2DEA8BBC77A8EB727675ADDD5E7 | |||
| 1240 | s.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\EEEEEEEEEEE | binary | |
MD5:11A06AE970500CA9858ACA4D1C9BE341 | SHA256:CD180E1C0F5430CBEBE6F37F9F24AE12E785C2DEA8BBC77A8EB727675ADDD5E7 | |||
| 1240 | s.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\FFFFFFFFFFF | binary | |
MD5:11A06AE970500CA9858ACA4D1C9BE341 | SHA256:CD180E1C0F5430CBEBE6F37F9F24AE12E785C2DEA8BBC77A8EB727675ADDD5E7 | |||
| 1240 | s.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\AAAAAAAAAAA | binary | |
MD5:11A06AE970500CA9858ACA4D1C9BE341 | SHA256:CD180E1C0F5430CBEBE6F37F9F24AE12E785C2DEA8BBC77A8EB727675ADDD5E7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |