| File name: | ransom.exe |
| Full analysis: | https://app.any.run/tasks/f1d3f8b9-2dca-4ed3-8b46-0bcf8511164e |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | August 31, 2019, 10:16:58 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 11B3C148DCF59F09753BBA161CEA5F23 |
| SHA1: | 0845259C5E685DBD19AB9F15A7C2B38D60B8D07F |
| SHA256: | 32DB24CC3456965BA75319617EF2094C9549874533B5FC6C13769A994DC57877 |
| SSDEEP: | 6144:j5iK5J6Va/R1k1uNIMXvdBAXossEqG3Z6eILaxUIrltrNiQ8:j5Aa51k8IMAXossEqG3Z6TaxUIrllNiQ |
MALICIOUS
Dropped file may contain instructions of ransomware
- ransom.exe (PID: 3660)
Deletes shadow copies
- ransom.exe (PID: 3660)
Starts NET.EXE for service management
- ransom.exe (PID: 3660)
Modifies files in Chrome extension folder
- ransom.exe (PID: 3660)
Actions looks like stealing of personal data
- ransom.exe (PID: 3660)
SUSPICIOUS
Executable content was dropped or overwritten
- ransom.exe (PID: 3660)
Reads the cookies of Mozilla Firefox
- ransom.exe (PID: 3660)
Creates files in the program directory
- ransom.exe (PID: 3660)
Creates files in the user directory
- ransom.exe (PID: 3660)
INFO
Dropped object may contain Bitcoin addresses
- ransom.exe (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .dll | | | Win32 Dynamic Link Library (generic) (38.3) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (26.2) |
| .exe | | | Win16/32 Executable Delphi generic (12) |
| .exe | | | Generic Win/DOS Executable (11.6) |
| .exe | | | DOS Executable Generic (11.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:08:31 09:13:29+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 59904 |
| InitializedDataSize: | 205824 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x4800a |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | Microsoft PDF Document |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft PDF Document |
| FileVersion: | 1.0.0.0 |
| InternalName: | Encryptor.exe |
| LegalCopyright: | Microsoft Corporation © 2019, all rights reserved. |
| LegalTrademarks: | Microsoft Corporation © 2019 |
| OriginalFileName: | Encryptor.exe |
| ProductName: | Microsoft PDF Document |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 31-Aug-2019 07:13:29 |
| Comments: | Microsoft PDF Document |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft PDF Document |
| FileVersion: | 1.0.0.0 |
| InternalName: | Encryptor.exe |
| LegalCopyright: | Microsoft Corporation © 2019, all rights reserved. |
| LegalTrademarks: | Microsoft Corporation © 2019 |
| OriginalFilename: | Encryptor.exe |
| ProductName: | Microsoft PDF Document |
| ProductVersion: | 1.0.0.0 |
| Assembly Version: | 1.0.0.0 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000080 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 5 |
| Time date stamp: | 31-Aug-2019 07:13:29 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
5BA\x14\x024F;\xd4F\x02 | 0x00002000 | 0x000246D4 | 0x00024800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99878 |
.text | 0x00028000 | 0x0000E678 | 0x0000E800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.67601 |
.rsrc | 0x00038000 | 0x0000D9D8 | 0x0000DA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.88331 |
.reloc | 0x00046000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0980042 |
0x00048000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 0.142636 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 5.92992 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 7.10471 | 3240 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 6.9463 | 7336 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 6.7839 | 12840 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 6.84051 | 28840 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 2.96963 | 76 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
Imports
mscoree.dll |
Total processes
48
Monitored processes
6
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2768 | C:\Windows\system32\net1 /stop WinDefend /y | C:\Windows\system32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2884 | "net.exe" /stop WinDefend /y | C:\Windows\system32\net.exe | — | ransom.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2996 | C:\Windows\system32\net1 /stop MBAMService /y | C:\Windows\system32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3132 | "net.exe" /stop MBAMService /y | C:\Windows\system32\net.exe | — | ransom.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3440 | "vssadmin.exe" Delete Shadows /All /Quiet | C:\Windows\system32\vssadmin.exe | — | ransom.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3660 | "C:\Users\admin\AppData\Local\Temp\ransom.exe" | C:\Users\admin\AppData\Local\Temp\ransom.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PDF Document Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
Total events
45 063
Read events
1 690
Write events
19 715
Delete events
23 658
Modification events
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: 4C0E00004E427141E55FD501 | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: A5782BAD9AE1BD66E55DDE04245F54FAD9383854387885BD6AAEBD734CCF2CCE | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Program Files\Adobe\Acrobat Reader DC\Benioku.htm | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: 7240E7856C6CCDE7C96DB232CC492EBDFA0F082D059C9F1EB392695019184BAD | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: 7240E7856C6CCDE7C96DB232CC492EBDFA0F082D059C9F1EB392695019184BAD | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFiles0000 |
Value: C:\Program Files\Adobe\Acrobat Reader DC\Benioku.htm | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: A5782BAD9AE1BD66E55DDE04245F54FAD9383854387885BD6AAEBD734CCF2CCE | |||
| (PID) Process: | (3660) ransom.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: 4C0E00004E427141E55FD501 | |||
Executable files
2
Suspicious files
658
Text files
109
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3660 | ransom.exe | C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf.HILDA! | binary | |
MD5:— | SHA256:— | |||
| 3660 | ransom.exe | C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\updates.xml.HILDA! | binary | |
MD5:— | SHA256:— | |||
| 3660 | ransom.exe | C:\Users\admin\AppData\Local\IconCache.db.HILDA! | binary | |
MD5:— | SHA256:— | |||
| 3660 | ransom.exe | C:\ProgramData\Microsoft\RAC\PublishedData\READ_IT.TXT | text | |
MD5:68184E81161C4B0A03647C9D3EE7CA88 | SHA256:3F718F7588E5D93D1BF7EC8F00FF8A33588746C5185C85742F33FB2E88F5BBB7 | |||
| 3660 | ransom.exe | C:\Users\admin\AppData\Local\FileZilla\default_filter20x20.png.HILDA! | binary | |
MD5:— | SHA256:— | |||
| 3660 | ransom.exe | C:\Users\admin\AppData\Roaming{00000000-0000-0000-0000-000000000000}\HildaloliLOVESMHTandVK_Intel.exe | executable | |
MD5:E189B5CE11618BB7880E9B09D53A588F | SHA256:97D27E1225B472A63C88AC9CFB813019B72598B9DD2D70FE93F324F7D034FB95 | |||
| 3660 | ransom.exe | C:\ProgramData\Mozilla\updates\308046B0AF4A39CB\READ_IT.TXT | text | |
MD5:68184E81161C4B0A03647C9D3EE7CA88 | SHA256:3F718F7588E5D93D1BF7EC8F00FF8A33588746C5185C85742F33FB2E88F5BBB7 | |||
| 3660 | ransom.exe | C:\Users\admin\AppData\Local\FileZilla\default_dropdown12x12.png.HILDA! | binary | |
MD5:— | SHA256:— | |||
| 3660 | ransom.exe | C:\Users\admin\AppData\Local\FileZilla\default_find20x20.png.HILDA! | binary | |
MD5:— | SHA256:— | |||
| 3660 | ransom.exe | C:\Users\admin\AppData\Local\FileZilla\default_disconnect20x20.png.HILDA! | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report