File name:

RuckZuck(1).exe

Full analysis: https://app.any.run/tasks/97bb6154-25a5-40a4-93ff-4f202aee20f4
Verdict: Malicious activity
Analysis date: April 17, 2024, 19:26:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

981DA0EE9844D7162660EF9C3D60CB1E

SHA1:

D717E9C85C8666554C57672468B33979A131EC5D

SHA256:

24BEBCA72D6CD5E03EF67AFFBF7328A58A928DD58371DCEF8287A3AC69F534C2

SSDEEP:

49152:LL1PAe8RLZ/2yCgLWb75NHb1HNj/7CcuAk0K8jbjSpxRyCOZsYEt+6e8N5/JpxKU:LLVT8RLZ/Mbzxl/7wAk0K0XSRDdYgeC9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RuckZuck(1).exe (PID: 2416)

  • SUSPICIOUS

    • Reads the Internet Settings

      • RuckZuck(1).exe (PID: 2416)

    • Reads security settings of Internet Explorer

      • RuckZuck(1).exe (PID: 2416)

    • Reads settings of System Certificates

      • RuckZuck(1).exe (PID: 2416)

    • Checks Windows Trust Settings

      • RuckZuck(1).exe (PID: 2416)

    • Searches for installed software

      • RuckZuck(1).exe (PID: 2416)

  • INFO

    • Checks supported languages

      • RuckZuck(1).exe (PID: 2416)

    • Reads the computer name

      • RuckZuck(1).exe (PID: 2416)

    • Reads Environment values

      • RuckZuck(1).exe (PID: 2416)

    • Checks proxy server information

      • RuckZuck(1).exe (PID: 2416)

    • Reads the machine GUID from the registry

      • RuckZuck(1).exe (PID: 2416)

    • Reads the software policy settings

      • RuckZuck(1).exe (PID: 2416)

    • Creates files or folders in the user directory

      • RuckZuck(1).exe (PID: 2416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:24 10:33:16+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 1396224
InitializedDataSize: 14336
UninitializedDataSize: -
EntryPoint: 0x156dee
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.7.3.5
ProductVersionNumber: 1.7.3.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Software Package Manager for Windows
CompanyName: ROMAWO GmbH
FileDescription: RuckZuck
FileVersion: 1.7.3.5
InternalName: RuckZuck.exe
LegalCopyright: Copyright © 2024 by ROMAWO GmbH
LegalTrademarks: -
OriginalFileName: RuckZuck.exe
ProductName: RuckZuck
ProductVersion: 1.7.3.5
AssemblyVersion: 1.7.3.20795
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ruckzuck(1).exe ruckzuck(1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1288"C:\Users\admin\AppData\Local\Temp\RuckZuck(1).exe" C:\Users\admin\AppData\Local\Temp\RuckZuck(1).exeexplorer.exe
User:
admin
Company:
ROMAWO GmbH
Integrity Level:
MEDIUM
Description:
RuckZuck
Exit code:
3221226540
Version:
1.7.3.5
Modules
Images
c:\users\admin\appdata\local\temp\ruckzuck(1).exe
c:\windows\system32\ntdll.dll
2416"C:\Users\admin\AppData\Local\Temp\RuckZuck(1).exe" C:\Users\admin\AppData\Local\Temp\RuckZuck(1).exe
explorer.exe
User:
admin
Company:
ROMAWO GmbH
Integrity Level:
HIGH
Description:
RuckZuck
Version:
1.7.3.5
Modules
Images
c:\users\admin\appdata\local\temp\ruckzuck(1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
10 052
Read events
9 993
Write events
50
Delete events
9

Modification events

(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
RuckZuck(1).exe
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuckZuck(1)_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuckZuck(1)_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuckZuck(1)_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuckZuck(1)_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuckZuck(1)_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2416) RuckZuck(1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RuckZuck(1)_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
0
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2416RuckZuck(1).exeC:\Users\admin\AppData\Local\ROMAWO_GmbH\RuckZuck(1).exe_Url_2zsixkldacvdg4ua3j5nuap5mp404ljx\1.7.3.20795\user.config
MD5:
SHA256:
2416RuckZuck(1).exeC:\Users\admin\AppData\Local\ROMAWO_GmbH\RuckZuck(1).exe_Url_2zsixkldacvdg4ua3j5nuap5mp404ljx\1.7.3.20795\eqq5q0zu.newcfg
MD5:
SHA256:
2416RuckZuck(1).exeC:\Users\admin\AppData\Local\ROMAWO_GmbH\RuckZuck(1).exe_Url_2zsixkldacvdg4ua3j5nuap5mp404ljx\1.7.3.20795\elyrmrm0.newcfgxml
MD5:2B6FE5A5027B38CD99D49CC300F43A9C
SHA256:D6580AD140B2C96F360EE164B9A88E06F6BA83DB3DF05DC90D908F0467DDADF6
2416RuckZuck(1).exeC:\Users\admin\AppData\Local\ROMAWO_GmbH\RuckZuck(1).exe_Url_2zsixkldacvdg4ua3j5nuap5mp404ljx\1.7.3.20795\waoo1eh2.newcfgxml
MD5:A71B2875CB982F979BB5140665C8E712
SHA256:343789C61269549DEFC214994BE390833DB47815A063E35436B104E7E4424A8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
255.255.255.255:5001
unknown
2416
RuckZuck(1).exe
152.199.21.175:443
cdn.ruckzuck.tools
EDGECAST
DE
whitelisted
2416
RuckZuck(1).exe
40.114.194.188:443
ruckzuck.tools
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown

DNS requests

Domain
IP
Reputation
cdn.ruckzuck.tools
  • 152.199.21.175
unknown
ruckzuck.tools
  • 40.114.194.188
unknown
ruckzuck.azurewebsites.net
  • 40.114.194.188
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RuckZuck(1).exe