File name:

2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo

Full analysis: https://app.any.run/tasks/736cb086-1c3d-48b8-9297-f27acf2c0800
Verdict: Malicious activity
Analysis date: December 14, 2024, 06:45:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

19495F7F448837F093F8441E3A431A12

SHA1:

178B9F43108474805774733AB282F5ED9F303EA8

SHA256:

4D30631796441EA1AF0D726B5B9A95C5388819F55EECCF0AE5241E45E78DE61B

SSDEEP:

98304:VUHN+E8IfaJzM611/mOOeCj92Gc4iOUYbTTY2wl4GgLL2g3vbeUaS76a7MG50Xws:vvAvxu5XUBOUP1Z3eOU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

    • The process drops C-runtime libraries

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

    • Process drops legitimate windows executable

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

    • Drops a system driver (possible attempt to evade defenses)

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

  • INFO

    • The sample compiled with english language support

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)

    • The sample compiled with chinese language support

      • 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe (PID: 3436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

ProductVersion: -
ProductName: Server_Clien
OriginalFileName: Server_Client
LegalCopyright: HugeStone保留所有权利
InternalName: Client.exe
FileVersion: 6.1.1.5
FileDescription: 加密软件
CompanyName: HugeStone
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 6.1.1.5
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x138e6f
UninitializedDataSize: -
InitializedDataSize: 19601408
CodeSize: 1588224
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2019:08:08 15:44:19+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe no specs 2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe

Process information

PID
CMD
Path
Indicators
Parent process
5964"C:\Users\admin\Desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe" C:\Users\admin\Desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeexplorer.exe
User:
admin
Company:
HugeStone
Integrity Level:
MEDIUM
Description:
加密软件
Exit code:
3221226540
Version:
6.1.1.5
Modules
Images
c:\users\admin\desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3436"C:\Users\admin\Desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe" C:\Users\admin\Desktop\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exe
explorer.exe
User:
admin
Company:
HugeStone
Integrity Level:
HIGH
Description:
加密软件
Version:
6.1.1.5
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
79
Suspicious files
7
Text files
16
Unknown types
3

Dropped files

PID
Process
Filename
Type
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\HsUpdate\2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.cab
MD5:
SHA256:
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\AutoMsgDlg.exeexecutable
MD5:FF61BCB70FFAFEC82C705EF5F6829227
SHA256:86CE28FAFB485120CC34880567A55947A7ECC59BC73F9257CB42A589354FDEC4
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\configex.initext
MD5:A99C837DF56B5311CD17889BFBAD7CAB
SHA256:71B23414A9F4D5C5B3F4E5CCBD6F59E98F15443545C2FF9FA9B579A2DE51DADF
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\CheckClient.exeexecutable
MD5:0FF54A0BFF2F92F77869F1FCBB0BA31E
SHA256:BF351B67DABDE8F3FEE9BE932B8CC04F2F75AD524215EF882E687503D68F7622
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\atl712.dllbinary
MD5:454562B46CB45AAF3E5B55EA14AB22DB
SHA256:38FFC8F2641D8DA00D405D0955919881EEFA4FA263FA64ED0862CC5899536A0B
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\FileMD5.binbinary
MD5:A87F42DF3E8417A1214ABF6CF4EA8E54
SHA256:6FC44E97C2DD424756DF06AB735931C793F3B06CD9A48D6974AE7C511611F1F5
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\UpdateCfg.iniini
MD5:97DD24298B11C9C4462DE424FE551C35
SHA256:743AA3949FF50D891BAD9203DEFBB039B7032F627D2A48722F86BBC1B2BBA215
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\DogPwdVerify.exeexecutable
MD5:3C39AA02B8CFE62E8628E3ABB36AED56
SHA256:4D5DFE6A3016F092CF3455E12DFB900C48D5C4DE38FE2F10D3ECF54CCFEA414C
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\atl71.dllexecutable
MD5:43AB669D0D8472B92016B9D4CAA68550
SHA256:A969B9D130DFAD7D6CCBF4B4529B84AED7C90F3518024DABE5564ACC864B4DA4
34362024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo.exeC:\ProgramData\DelayUpdate\AssistProc.exeexecutable
MD5:9A06911FFA2CE428F8F4DAC71C968EEB
SHA256:2356D50CA9A377491D447FAE1C1F5C30E0F9607336B12B55A450C55E6C7FAE34
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2624
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-12-14_19495f7f448837f093f8441e3a431a12_bkransomware_metamorfo