File name:

Malware.exe

Full analysis: https://app.any.run/tasks/ab51a519-db1a-4242-af4d-e6c4a0f2c22e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 06, 2025, 14:02:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
webdav
badrabbit
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
MD5:

FBBDC39AF1139AEBBA4DA004475E8839

SHA1:

DE5C8D858E6E41DA715DCA1C019DF0BFB92D32C0

SHA256:

630325CAC09AC3FAB908F903E3B00D0DADD5FDAA0875ED8496FCBB97A558D0DA

SSDEEP:

12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Malware.exe (PID: 488)
      • Malware.exe (PID: 5200)
      • Malware.exe (PID: 6932)
      • Malware.exe (PID: 6832)

    • BADRABBIT has been detected

      • Malware.exe (PID: 5200)
      • rundll32.exe (PID: 4076)
      • rundll32.exe (PID: 3220)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6280)
      • cmd.exe (PID: 6324)

    • WebDav connection (SURICATA)

      • rundll32.exe (PID: 4076)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 4076)
      • Malware.exe (PID: 5200)
      • Malware.exe (PID: 6932)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 5464)
      • schtasks.exe (PID: 3524)

    • Starts application with an unusual extension

      • rundll32.exe (PID: 4076)

    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 4076)
      • dispci.exe (PID: 7060)

    • Creates file in the systems drive root

      • dispci.exe (PID: 7060)

    • Connects to the server without a host name

      • rundll32.exe (PID: 4076)

  • INFO

    • Checks supported languages

      • Malware.exe (PID: 5200)
      • Malware.exe (PID: 6932)
      • dispci.exe (PID: 7060)
      • 5C0E.tmp (PID: 6344)

    • The sample compiled with english language support

      • Malware.exe (PID: 5200)

    • Manual execution by a user

      • notepad++.exe (PID: 6476)
      • Malware.exe (PID: 6832)
      • Malware.exe (PID: 6932)
      • dispci.exe (PID: 1480)
      • dispci.exe (PID: 7060)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 4076)

    • Sends debugging messages

      • notepad++.exe (PID: 6476)

    • Checks proxy server information

      • rundll32.exe (PID: 4076)

    • Reads the machine GUID from the registry

      • dispci.exe (PID: 7060)

    • Reads the computer name

      • dispci.exe (PID: 7060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:10:22 02:33:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 12288
InitializedDataSize: 43520
UninitializedDataSize: -
EntryPoint: 0x12c0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
FileVersionNumber: 27.0.0.170
ProductVersionNumber: 27.0.0.170
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Adobe Systems Incorporated
FileDescription: Adobe® Flash® Player Installer/Uninstaller 27.0 r0
FileVersion: 27,0,0,170
InternalName: Adobe® Flash® Player Installer/Uninstaller 27.0
LegalCopyright: Copyright © 1996-2017 Adobe Systems Incorporated
LegalTrademarks: Adobe® Flash® Player
OriginalFileName: FlashUtil.exe
ProductName: Adobe® Flash® Player Installer/Uninstaller
ProductVersion: 27,0,0,170
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
27
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #BADRABBIT malware.exe conhost.exe no specs #BADRABBIT rundll32.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs 5c0e.tmp no specs conhost.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe no specs notepad++.exe malware.exe no specs malware.exe conhost.exe no specs #BADRABBIT rundll32.exe no specs dispci.exe no specs dispci.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs malware.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
488"C:\Users\admin\Desktop\Malware.exe" C:\Users\admin\Desktop\Malware.exeexplorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 27.0 r0
Exit code:
3221226540
Version:
27,0,0,170
Modules
Images
c:\users\admin\desktop\malware.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1480"C:\Windows\dispci.exe" C:\Windows\dispci.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft Display Class Installer
Exit code:
3221226540
Version:
1.1.846.118
Modules
Images
c:\windows\dispci.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2828/c schtasks /Delete /F /TN rhaegalC:\Windows\SysWOW64\cmd.exedispci.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3152\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3220C:\WINDOWS\system32\rundll32.exe C:\Windows\infpub.dat,#1 15C:\Windows\SysWOW64\rundll32.exe
Malware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3524schtasks /Delete /F /TN rhaegalC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4076C:\WINDOWS\system32\rundll32.exe C:\Windows\infpub.dat,#1 15C:\Windows\SysWOW64\rundll32.exe
Malware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4160/c schtasks /Delete /F /TN rhaegalC:\Windows\SysWOW64\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4932\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedispci.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 306
Read events
1 303
Write events
3
Delete events
0

Modification events

(PID) Process:(4076) rundll32.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}
Operation:writeName:LowerFilters
Value:
cscc
(PID) Process:(4076) rundll32.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e965-e325-11ce-bfc1-08002be10318}
Operation:writeName:UpperFilters
Value:
cscc
(PID) Process:(4076) rundll32.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl
Operation:writeName:DumpFilters
Value:
cscc
Executable files
6
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6476notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:FE22EC5755BC98988F9656F73B2E6FB8
SHA256:F972C425CE176E960F6347F1CA2F64A8CE2B95A375C33A03E57538052BA0624D
6932Malware.exeC:\Windows\infpub.datexecutable
MD5:1D724F95C61F1055F0D02C2154BBCCD3
SHA256:579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648
4076rundll32.exeC:\Users\admin\Documents\Database1.accdbtext
MD5:FFB5B92991F3D7042165F9187FE4BBB4
SHA256:093A7B7131EF1639EB20ECEF31AD023EA71F7C365F4F7FC4B5A5BD337E9835D9
5200Malware.exeC:\Windows\infpub.datexecutable
MD5:1D724F95C61F1055F0D02C2154BBCCD3
SHA256:579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648
4076rundll32.exeC:\Windows\dispci.exeexecutable
MD5:B14D8FAF7F0CBCFAD051CEFE5F39645F
SHA256:8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
4076rundll32.exeC:\Windows\cscc.datexecutable
MD5:EDB72F4A46C39452D1A5414F7D26454A
SHA256:0B2F863F4119DC88A22CC97C0A136C88A0127CB026751303B045F7322A8972F6
6476notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
4076rundll32.exeC:\Windows\5C0E.tmpexecutable
MD5:347AC3B6B791054DE3E5720A7144A977
SHA256:301B905EB98D8D6BB559C04BBDA26628A942B2C4107C07A02E8F753BDCFE347C
6476notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:312281C4126FA897EF21A7E8CCB8D495
SHA256:53B4BE3ED1CFD712E53542B30CFE30C5DB35CC48BE7C57727DFEC26C9E882E90
6476notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:F11D96162BC521F5CF49FFE6B6841C9B
SHA256:BE9AEAEAB5A2E4899BA7E582274BA592C1B9BAF688B340A754B8EF32B23CFA9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
69
DNS requests
14
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2216
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4076
rundll32.exe
OPTIONS
403
192.229.221.95:80
http://192.229.221.95/
unknown
whitelisted
4076
rundll32.exe
OPTIONS
400
95.101.149.131:80
http://95.101.149.131/
unknown
unknown
4076
rundll32.exe
OPTIONS
400
40.126.31.71:80
http://40.126.31.71/
unknown
whitelisted
7092
SIHClient.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7092
SIHClient.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7040
svchost.exe
OPTIONS
403
192.229.221.95:80
http://192.229.221.95/admin%24
unknown
whitelisted
7040
svchost.exe
OPTIONS
403
192.229.221.95:80
http://192.229.221.95/admin%24
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5064
SearchApp.exe
104.126.37.137:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
95.101.149.131:445
Akamai International B.V.
NL
unknown
4
System
40.126.31.71:445
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.2:445
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.137
  • 104.126.37.128
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.179
  • 104.126.37.177
  • 104.126.37.123
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.2
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.230.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Malware.exe