File name:

some_malicious_file.bin

Full analysis: https://app.any.run/tasks/39a86f96-8a95-42fa-bea6-ed7c976bcb13
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: December 05, 2022, 20:14:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
sodinokibi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

890A58F200DFFF23165DF9E1B088E58F

SHA1:

74E3D82F7EE81109E150DC41112CF95B3A4B5307

SHA256:

5F56D5748940E4039053F85978074BDE16D64BD5BA97F6F0026BA8172CB29E93

SSDEEP:

3072:Hp5SexkWi1Lbi4eTMlwDCnu/q2GB96W/y:JvGWwbnWJ/yB9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Sodinokibi ransom note is found

      • some_malicious_file.bin.exe (PID: 3632)
    • Drops the executable file immediately after the start

      • some_malicious_file.bin.exe (PID: 3632)
  • SUSPICIOUS

    • Application launched itself

      • some_malicious_file.bin.exe (PID: 1756)
  • INFO

    • Dropped object may contain TOR URL's

      • some_malicious_file.bin.exe (PID: 3632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2019-Jun-10 15:29:32

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 208

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2019-Jun-10 15:29:32
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
41684
41984
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55748
.rdata
49152
63056
63488
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.43997
.data
114688
6044
5632
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.68881
.s7bz
122880
51200
51200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.09537
.reloc
176128
1356
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.21532
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start some_malicious_file.bin.exe no specs #SODINOKIBI some_malicious_file.bin.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1756"C:\Users\admin\AppData\Local\Temp\some_malicious_file.bin.exe" C:\Users\admin\AppData\Local\Temp\some_malicious_file.bin.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\some_malicious_file.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
3632"C:\Users\admin\AppData\Local\Temp\some_malicious_file.bin.exe" C:\Users\admin\AppData\Local\Temp\some_malicious_file.bin.exe
some_malicious_file.bin.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\some_malicious_file.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1640"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exesome_malicious_file.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
184vssadmin.exe Delete Shadows /All /Quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\vssadmin.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
2412C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3056bcdedit /set {default} recoveryenabled No C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
860bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2904"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\l204e3336-readme.txtC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
Total events
3 002
Read events
2 978
Write events
24
Delete events
0

Modification events

(PID) Process:(1756) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1756) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1756) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1756) some_malicious_file.bin.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3632) some_malicious_file.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:sub_key
Value:
D60DFF40440F390ED2DDF04B674C2FBBF07D35FA4B2EF7FC981CA8377A2BF44D
(PID) Process:(3632) some_malicious_file.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:pk_key
Value:
DF919732F6774FF52A80AEEE44B997F8F392B667236D53235D8E8B1422BC7A6B
(PID) Process:(3632) some_malicious_file.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:sk_key
Value:
993F4C468E49AF33E26B018BB25663B0663B06B4A4E7F14F5C4E0811D3C95967B83AD069547C948A24C5196C56F21471C67633453BF52A3A8319CFAE2FF0FB70FB484965A8FAB1ACEA40C7F7F324347EFEAE7BABB50617E9
(PID) Process:(3632) some_malicious_file.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:0_key
Value:
4B3DA74F21C52EB2C9594A17D15B997F61995ED7CAC1821DEF544225CFD937AC3C8E10FD1FC965F120872302EE0D9885ED5EAFDD2A7042CD910815DD286EEADF908F7F4DD607610FD00415E6E9A277B79B5A089B69809BBA
(PID) Process:(3632) some_malicious_file.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:rnd_ext
Value:
.l204e3336
(PID) Process:(3632) some_malicious_file.bin.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\recfg
Operation:writeName:stat
Value:
BB10834160DAEAEC5831A70D3CF6FEACA48C60CF0338A1AA3CCA33AD85FF4DED9CFC85170A535A19064130875DAC774F25AEAEAB928C23F14354569C5A218D579573A5F46F7F032B9030BC45B034F9EE98875A5123562A950AE63C5E0A8F3EBFF5656853CF2A4A30F11C3C3111A3E09A3FC9C82D2CE05E3DAFDF0329E54AFD4A32967DBACCC14A639BDB5F2C5A933D0B53AD13992D85C2643EE2F2B25F4FDF0BAD84A28FE272FC78103C2307F137A5C8381D6B725A5CE052AA496DE662519225888F0BBAC424FA1BE8C232A621562E30BC6C38F77FB13577023041278C4383133D95E80C11B6030626C3094A075F2333E710237883DAAFB7069DB313340067892B419C083086509AA31220D197CE927D4476A9D43E80B432B1D171ECB69BD170DF2793AF36B6B21288D9C8EC102F3EF5877AE9595DD9FA1689E03BBF4E2AE527C83AC5E07ECB4D602A2EC1416224006BF165E0FAE816012F9F0B907F9D48D01E64DAE60DC016D9BCB7740EE2DBDB3E75CF0E43C44A8C6D6BFEC319A970C5C0D89ED3B8DF6CF5C671162316F49B41AED7C5BA8AE53184FBC840126BDB221916AB5CAFD3CBE16C0664980F717CB757F4031387E01C80BC55C295E6316C5DF7D260615E649017CDF98564DFEB18D1CD66A619D656137D6A4B6704190AC0E61F146E8F5F52B8C63A4F000258222D3BDC31B06FA5D990C8B98E47E4DD20F78403358C230375394C3ABD34D7EA654C8005DCF4578DFB446D405E61333505202A3A9B766F9F2BF5ADBF66835384B86F5D641A78FBB2816FD9DBF322AE8C238986B135594D3A71DA1BC8EA016F8850CA86A2DC776DC2346393B01B9675522C81F0E1813E6D612F76DA27871F9CA11B34E972F0E77278D3E8445990B02C53004FEC2C65D772C46D6BB60ABB55F0C86DA99240FEE06FDB45042944CC5140F7BAD8F9D7399D70BB5C4670F2EB836B2DF754485187B581F919A2CF856CD009DA53AFA3700BFE4F88FDAFCADEA5F324744D292C9B49E1294107BCCA3B8D25CB21FE3DF52D657058E20E339C20687195B3B7B4345D756765193321B8D60F3DBE3522FBE2216C67CB95E7A7C346FB3C3781A7E01A64B49E625CAC7A5D088255641B0D5732AEC88554CA5C3FF2C76BFE055DB6624985F354B7F831386E2A27FACC1AA85A6B1A8518C0D88469BC13ED529A9C67FFE3654040BC2DA7EE3EE2976B779F6587356ED7B0F19866A623A8180FDB8EE107
Executable files
0
Suspicious files
261
Text files
1
Unknown types
8

Dropped files

PID
Process
Filename
Type
3632some_malicious_file.bin.exeC:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
3632some_malicious_file.bin.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.l204e3336
MD5:
SHA256:
3632some_malicious_file.bin.exeC:\users\admin\contacts\l204e3336-readme.txtbinary
MD5:C86E065E879F13C5B33DE841E8FA60D9
SHA256:5D89A7CF68F0E5B98E04432CA8313B3068BF23ADA6C34868FCD2FE8DF9133118
3632some_malicious_file.bin.exeC:\users\public\l204e3336-readme.txtbinary
MD5:C86E065E879F13C5B33DE841E8FA60D9
SHA256:5D89A7CF68F0E5B98E04432CA8313B3068BF23ADA6C34868FCD2FE8DF9133118
3632some_malicious_file.bin.exeC:\users\admin\downloads\l204e3336-readme.txtbinary
MD5:C86E065E879F13C5B33DE841E8FA60D9
SHA256:5D89A7CF68F0E5B98E04432CA8313B3068BF23ADA6C34868FCD2FE8DF9133118
3632some_malicious_file.bin.exeC:\l204e3336-readme.txtbinary
MD5:C86E065E879F13C5B33DE841E8FA60D9
SHA256:5D89A7CF68F0E5B98E04432CA8313B3068BF23ADA6C34868FCD2FE8DF9133118
3632some_malicious_file.bin.exeC:\recovery\l204e3336-readme.txtbinary
MD5:C86E065E879F13C5B33DE841E8FA60D9
SHA256:5D89A7CF68F0E5B98E04432CA8313B3068BF23ADA6C34868FCD2FE8DF9133118
3632some_malicious_file.bin.exeC:\users\admin\documents\l204e3336-readme.txtbinary
MD5:C86E065E879F13C5B33DE841E8FA60D9
SHA256:5D89A7CF68F0E5B98E04432CA8313B3068BF23ADA6C34868FCD2FE8DF9133118
3632some_malicious_file.bin.exeC:\users\administrator\l204e3336-readme.txtbinary
MD5:C86E065E879F13C5B33DE841E8FA60D9
SHA256:5D89A7CF68F0E5B98E04432CA8313B3068BF23ADA6C34868FCD2FE8DF9133118
3632some_malicious_file.bin.exeC:\users\admin\links\l204e3336-readme.txtbinary
MD5:C86E065E879F13C5B33DE841E8FA60D9
SHA256:5D89A7CF68F0E5B98E04432CA8313B3068BF23ADA6C34868FCD2FE8DF9133118
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
558
DNS requests
362
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3632
some_malicious_file.bin.exe
50.87.136.52:443
craftingalegacy.com
UNIFIEDLAYER-AS-1
US
suspicious
3632
some_malicious_file.bin.exe
92.204.33.146:443
brinkdoepke.eu
Host Europe GmbH
DE
suspicious
3632
some_malicious_file.bin.exe
37.9.175.133:443
kompresory-opravy.com
WebSupport s.r.o.
SK
malicious
3632
some_malicious_file.bin.exe
37.202.7.169:443
autoteamlast.de
Mittwald CM Service GmbH & Co. KG
DE
suspicious
3632
some_malicious_file.bin.exe
101.99.77.144:443
hostastay.com
Shinjiru Technology Sdn Bhd
MY
malicious
3632
some_malicious_file.bin.exe
185.103.16.188:443
ronaldhendriks.nl
CJ2 Hosting B.V.
NL
suspicious
3632
some_malicious_file.bin.exe
78.46.1.42:443
g2mediainc.com
Hetzner Online GmbH
DE
suspicious
3632
some_malicious_file.bin.exe
188.114.96.3:443
vipcarrental.ae
CLOUDFLARENET
NL
malicious
3632
some_malicious_file.bin.exe
15.197.142.173:443
medicalsupportco.com
AMAZON-02
US
malicious
3632
some_malicious_file.bin.exe
89.110.129.56:443
sveneulberg.de
Equinix (Germany) GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
craftingalegacy.com
  • 50.87.136.52
suspicious
g2mediainc.com
  • 78.46.1.42
suspicious
brinkdoepke.eu
  • 92.204.33.146
suspicious
vipcarrental.ae
  • 188.114.96.3
  • 188.114.97.3
malicious
autoteamlast.de
  • 37.202.7.169
suspicious
hostastay.com
  • 101.99.77.144
suspicious
gavelmasters.com
whitelisted
ronaldhendriks.nl
  • 185.103.16.188
suspicious
successcolony.com.ng
malicious
medicalsupportco.com
  • 15.197.142.173
  • 3.33.152.147
malicious

Threats

No threats detected
No debug info