analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

KRSWL0cker.exe

Full analysis: https://app.any.run/tasks/617f2e58-00af-4ca9-a21a-8519fef061b7
Verdict: Malicious activity
Analysis date: October 05, 2022, 02:00:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

585A07714CB3DA8E53CD37054B5ED8F3

SHA1:

444CDCDDFFBD5DE68EF7791E579A9E806E167977

SHA256:

5F6EE623CB033295A0E4C2A701F006C067DAA0DADF09CBFADCD4431B551C80FB

SSDEEP:

1536:rYRe8Fpln4vnaKR0JeDjEX8TDduVbMyjELc50w+XI+tut++8LJFaW/Cxlb5JwKbW:rYRe8Fpln4vnaKR0JeDwX8TDduVbMyjE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • KRSWL0cker.exe (PID: 2968)
  • SUSPICIOUS

    • Reads the computer name

      • KRSWL0cker.exe (PID: 2968)
    • Checks supported languages

      • KRSWL0cker.exe (PID: 2968)
    • Creates files in the user directory

      • KRSWL0cker.exe (PID: 2968)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Oct-05 01:58:03
Debug artifacts:
  • C:\Users\root\Downloads\Nitro-Ransomware-master\Nitro-Ransomware-master\NitroRansomware\bin\Debug\ILMerge\CryptoObfuscator_Output\KRSWL0cker.pdb
Comments: -
CompanyName: -
FileDescription: KRSWL0cker
FileVersion: 1.0.0.0
InternalName: KRSWL0cker.exe
LegalCopyright: Copyright © 2783
LegalTrademarks: -
OriginalFilename: KRSWL0cker.exe
ProductName: KRSWL0cker
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2022-Oct-05 01:58:03
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
91076
91136
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.45942
.reloc
106496
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191
.rsrc
114688
1464
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.12924

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.30248
812
UNKNOWN
UNKNOWN
RT_VERSION
1 (#2)
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start krswl0cker.exe

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Users\admin\AppData\Local\Temp\KRSWL0cker.exe" C:\Users\admin\AppData\Local\Temp\KRSWL0cker.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
KRSWL0cker
Version:
1.0.0.0
Total events
198
Read events
189
Write events
9
Delete events
0

Modification events

(PID) Process:(2968) KRSWL0cker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:KR
Value:
"C:\Users\admin\AppData\Local\Temp\KRSWL0cker.exe"
(PID) Process:(2968) KRSWL0cker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2968) KRSWL0cker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2968) KRSWL0cker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2968) KRSWL0cker.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
30
Text files
71
Unknown types
0

Dropped files

PID
Process
Filename
Type
2968KRSWL0cker.exeC:\Users\admin\Desktop\clientsnc.rtf.krswbinary
MD5:BD8987D19BF3A08F01692458212BAE72
SHA256:603A3076ABB55F1781162BC6B05E7F2EC9C94E32AE92C13D22C2B59D540813CD
2968KRSWL0cker.exeC:\Users\admin\Pictures\desktop.ini.krswbinary
MD5:3319C6F67845E27A3F58E0A643471251
SHA256:7B81A6EBCD2E5D652AFFCFFBC231B9BFB16EA5C7514F9CF0ABFB635DE8B80566
2968KRSWL0cker.exeC:\Users\admin\AppData\Local\Temp\krswtkhrkrs.txttext
MD5:C8370F662F6266629D38EE7460E8F77A
SHA256:958197DB2E1BBD7CA03D3249A6DBE6F221AE96F228B42BF5774F29DFE8B86C32
2968KRSWL0cker.exeC:\Users\admin\Desktop\desktop.ini.krswbinary
MD5:7D47B0BE084A16B372A8528E251BAB48
SHA256:FBE91FA1F67B17AB351327B581E19DB5922BEBA4C69E7773CEDAA239B526CD7E
2968KRSWL0cker.exeC:\Users\admin\Documents\sizewine.rtf.krswbinary
MD5:85BF9043BCF785CC3A3333869AD16929
SHA256:E8055E51DEA5781F27CB0D320E244B49D90D0CC7890CF3FE043CF48A760AC8D0
2968KRSWL0cker.exeC:\Users\admin\Documents\desktop.ini.krswbinary
MD5:B203161D9043BECB07E672CDD1E94F55
SHA256:2A4818483C43B3D0B8B0E9BD13975F924A1155DAE622D986B4A90B41B5338C4F
2968KRSWL0cker.exeC:\Users\admin\Desktop\locationaz.rtf.krswbinary
MD5:0474F2DC9FC5C18A7ADF034FBA0E40F6
SHA256:6F0299C5A527D82B364BA5D6573E1DFF97517E84AB5DA094FAD696A053C745D0
2968KRSWL0cker.exeC:\Users\admin\Desktop\beforenorthern.png.krswbinary
MD5:38F851EFE72CE18A1C2F6BE1D11F85C7
SHA256:4D87D0A2F1B8351056E324AFDA57DB764C8A356D01C9032114D84BAF883F1F5C
2968KRSWL0cker.exeC:\Users\admin\Desktop\developedoverview.jpg.krswbinary
MD5:DED20913811FF5796B9FA73E57AEDCF2
SHA256:A7F70C21EE9FFD85879C91F293416A87F3134C182BD9EEAF93758E963BB6CF87
2968KRSWL0cker.exeC:\Users\admin\Pictures\respectivemsn.png.krswbinary
MD5:2E580CA8A58CD3453CBEEE1AB747560D
SHA256:4B83158EFBF341770B0E1B23A57DB323868521B0D3E025375EA9D330B5682296
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info