File name:

2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo

Full analysis: https://app.any.run/tasks/736cb086-1c3d-48b8-9297-f27acf2c0800
Verdict: Malicious activity
Analysis date: December 14, 2024, 06:45:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

19495F7F448837F093F8441E3A431A12

SHA1:

178B9F43108474805774733AB282F5ED9F303EA8

SHA256:

4D30631796441EA1AF0D726B5B9A95C5388819F55EECCF0AE5241E45E78DE61B

SSDEEP:

98304:VUHN+E8IfaJzM611/mOOeCj92Gc4iOUYbTTY2wl4GgLL2g3vbeUaS76a7MG50Xws:vvAvxu5XUBOUP1Z3eOU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

    • The process drops C-runtime libraries

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

    • Drops a system driver (possible attempt to evade defenses)

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

    • Process drops legitimate windows executable

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

  • INFO

    • The sample compiled with english language support

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

    • The sample compiled with chinese language support

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:08:08 15:44:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 1588224
InitializedDataSize: 19601408
UninitializedDataSize: -
EntryPoint: 0x138e6f
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.1.1.5
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: HugeStone
FileDescription: 加密软件
FileVersion: 6.1.1.5
InternalName: Client.exe
LegalCopyright: HugeStone保留所有权利
OriginalFileName: Server_Client
ProductName: Server_Clien
ProductVersion: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3436"C:\Users\admin\Desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe" C:\Users\admin\Desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe
explorer.exe
User:
admin
Company:
HugeStone
Integrity Level:
HIGH
Description:
加密软件
Version:
6.1.1.5
5964"C:\Users\admin\Desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe" C:\Users\admin\Desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeexplorer.exe
User:
admin
Company:
HugeStone
Integrity Level:
MEDIUM
Description:
加密软件
Exit code:
3221226540
Version:
6.1.1.5
Modules
Images
c:\users\admin\desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
79
Suspicious files
7
Text files
16
Unknown types
3

Dropped files

PID
Process
Filename
Type
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\HsUpdate\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.cab
MD5:
SHA256:
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\SendFileTool.logtext
MD5:80275EC6D4A55B4751E34D78C1EA28F3
SHA256:12933CB61EC4B495927397E224ECDFEC7536D679F215D369329071A8E9D0FD61
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\atl71.dllexecutable
MD5:43AB669D0D8472B92016B9D4CAA68550
SHA256:A969B9D130DFAD7D6CCBF4B4529B84AED7C90F3518024DABE5564ACC864B4DA4
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\atl712.dllbinary
MD5:454562B46CB45AAF3E5B55EA14AB22DB
SHA256:38FFC8F2641D8DA00D405D0955919881EEFA4FA263FA64ED0862CC5899536A0B
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\HsUpdateLog.inibinary
MD5:F6297BA86DC0A74F68A04E053C0B9ADB
SHA256:994A7DEE23F3F32346EEE6C85607786E5DD7906F15CC8F79FA4BFA87C92DC0B0
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\atl.dllbinary
MD5:2FAF0F57C2BAAB96C578998515C26959
SHA256:2E96D983E26FDBB294A63E66997F50D5158D681DB5DF358556CCA27E34C71BB2
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\detoured.dllexecutable
MD5:F41F6709174FE80C7FA2823A9BBFF47A
SHA256:9142E9D6F9595341D83D9921614D2CB3C38550A37F40E212353E3C632054C395
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\AssistProc.exeexecutable
MD5:9A06911FFA2CE428F8F4DAC71C968EEB
SHA256:2356D50CA9A377491D447FAE1C1F5C30E0F9607336B12B55A450C55E6C7FAE34
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\DogPwdVerify.exeexecutable
MD5:3C39AA02B8CFE62E8628E3ABB36AED56
SHA256:4D5DFE6A3016F092CF3455E12DFB900C48D5C4DE38FE2F10D3ECF54CCFEA414C
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\configex.initext
MD5:A99C837DF56B5311CD17889BFBAD7CAB
SHA256:71B23414A9F4D5C5B3F4E5CCBD6F59E98F15443545C2FF9FA9B579A2DE51DADF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2624
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo