File name:

9D3A277F236CC2A0.exe

Full analysis: https://app.any.run/tasks/c3da8a75-cc95-474a-8867-a3a4c29e7d06
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 27, 2024, 20:13:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DFE349400B2AD02A7C695BEDC2DC4153

SHA1:

9CAE22F1C8923F75ECB7ED1C68C3DAD5B5056C39

SHA256:

6376DB6C71E7E0BFEE6B54FF3C78CE1BE9E673522505EADD657D347603B49765

SSDEEP:

3072:SaLP9Bpakdzv0Km1j1U7391WmzIlDyDuL/ZwxUM6OLlxzt2WTLtQ3iOBBDFFFG3F:99fakd7QRq7391LIlDyDe6br5Q3inMVQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • runas.exe (PID: 2568)
      • 9D3A277F236CC2A0.exe (PID: 2692)
      • svchost.com (PID: 2804)
      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Deletes shadow copies

      • cmd.exe (PID: 2060)

    • Actions looks like stealing of personal data

      • 9D3A277F236CC2A0.exe (PID: 2724)
      • svchost.com (PID: 2804)
      • 9D3A277F236CC2A0.exe (PID: 2692)

    • Renames files like ransomware

      • 9D3A277F236CC2A0.exe (PID: 2724)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 9D3A277F236CC2A0.exe (PID: 2692)
      • svchost.com (PID: 2804)
      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Starts application with an unusual extension

      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Starts CMD.EXE for commands execution

      • svchost.com (PID: 2804)

    • Reads the Internet Settings

      • 9D3A277F236CC2A0.exe (PID: 2692)
      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Process drops legitimate windows executable

      • 9D3A277F236CC2A0.exe (PID: 2724)

    • The process drops Mozilla's DLL files

      • 9D3A277F236CC2A0.exe (PID: 2724)

    • The process drops C-runtime libraries

      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Creates files like ransomware instruction

      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Drops 7-zip archiver for unpacking

      • 9D3A277F236CC2A0.exe (PID: 2724)

  • INFO

    • Reads the computer name

      • 9D3A277F236CC2A0.exe (PID: 2724)
      • 9D3A277F236CC2A0.exe (PID: 2692)

    • Checks supported languages

      • svchost.com (PID: 2804)
      • 9D3A277F236CC2A0.exe (PID: 2692)
      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Reads the machine GUID from the registry

      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Creates files in the program directory

      • 9D3A277F236CC2A0.exe (PID: 2724)

    • Creates files or folders in the user directory

      • 9D3A277F236CC2A0.exe (PID: 2724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (89.3)
.exe | Win32 Executable Delphi generic (4.8)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:20 00:22:17+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start runas.exe no specs 9d3a277f236cc2a0.exe 9d3a277f236cc2a0.exe svchost.com cmd.exe no specs vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1824vssadmin.exe delete shadows /all /quietC:\Windows\System32\vssadmin.execmd.exe
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2060C:\Windows\System32\cmd.exe /c vssadmin.exe delete shadows /all /quietC:\Windows\System32\cmd.exesvchost.com
User:
Administrator
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2568"C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Desktop\9D3A277F236CC2A0.exeC:\Windows\System32\runas.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run As Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2692C:\Users\admin\Desktop\9D3A277F236CC2A0.exeC:\Users\admin\Desktop\9D3A277F236CC2A0.exe
runas.exe
User:
Administrator
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\9d3a277f236cc2a0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2724"C:\Users\ADMINI~1\AppData\Local\Temp\3582-490\9D3A277F236CC2A0.exe" C:\Users\Administrator\AppData\Local\Temp\3582-490\9D3A277F236CC2A0.exe
9D3A277F236CC2A0.exe
User:
Administrator
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\administrator\appdata\local\temp\3582-490\9d3a277f236cc2a0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2804"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quietC:\Windows\svchost.com
9D3A277F236CC2A0.exe
User:
Administrator
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\svchost.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
118 518
Read events
118 466
Write events
8
Delete events
44

Modification events

(PID) Process:(2692) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:delete valueName:ProxyBypass
Value:
0
(PID) Process:(2692) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:delete valueName:IntranetName
Value:
0
(PID) Process:(2692) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2692) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2724) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2724) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2724) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
FB9A2B67A9A10CA4AEB2C9950FC9620B89043B9732D07294C021C8DB3EEAB5B1
(PID) Process:(2724) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
\\?\C:\Program Files\FileZilla FTP Client\fzshellext.dll
(PID) Process:(2724) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(2724) 9D3A277F236CC2A0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
DDC6505EB58DCBE696D2B9106310BFA696AABC95607B3ADB1EB7ECBA5A8F8A4A
Executable files
1 501
Suspicious files
6 681
Text files
1 107
Unknown types
3

Dropped files

PID
Process
Filename
Type
27249D3A277F236CC2A0.exeC:\Program Files\CCleaner\CCleaner.exe.EMAIL=[electronicrans@gmail.com]ID=[9D3A277F236CC2A0].ELCTRONIC
MD5:
SHA256:
26929D3A277F236CC2A0.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
26929D3A277F236CC2A0.exeC:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\DW20.EXEexecutable
MD5:02EE6A3424782531461FB2F10713D3C1
SHA256:EAD58C483CB20BCD57464F8A4929079539D634F469B213054BF737D227C026DC
27249D3A277F236CC2A0.exeC:\README ELECTRONIC.txttext
MD5:25047D3446508254CE9F924184877CFE
SHA256:F5BEBDCAAB152D0D9A615D4F2CA2B59904E78866BE5C510AD90241F497A3EB66
2804svchost.comC:\Windows\directx.systext
MD5:8E966011732995CD7680A1CAA974FD57
SHA256:97D597793EC8307B71F3CFB8A6754BE45BF4C548914367F4DC9AF315C3A93D9B
27249D3A277F236CC2A0.exeC:\Program Files\Adobe\README ELECTRONIC.txttext
MD5:25047D3446508254CE9F924184877CFE
SHA256:F5BEBDCAAB152D0D9A615D4F2CA2B59904E78866BE5C510AD90241F497A3EB66
26929D3A277F236CC2A0.exeC:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\dwtrig20.exeexecutable
MD5:CF6C595D3E5E9667667AF096762FD9C4
SHA256:593E60CC30AE0789448547195AF77F550387F6648D45847EA244DD0DD7ABF03D
26929D3A277F236CC2A0.exeC:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exeexecutable
MD5:566ED4F62FDC96F175AFEDD811FA0370
SHA256:E17CD94C08FC0E001A49F43A0801CEA4625FB9AEE211B6DFEBEBEC446C21F460
27249D3A277F236CC2A0.exeC:\config.sys.EMAIL=[electronicrans@gmail.com]ID=[9D3A277F236CC2A0].ELCTRONICtext
MD5:ED4FC5980BD8B1AD869FF725C7776338
SHA256:E382AE82D3F529644CB4BD8AA8A592656FA406AE6D805BA869BFC355C7EC682D
27249D3A277F236CC2A0.exeC:\ProgramData\README ELECTRONIC.txttext
MD5:25047D3446508254CE9F924184877CFE
SHA256:F5BEBDCAAB152D0D9A615D4F2CA2B59904E78866BE5C510AD90241F497A3EB66
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9D3A277F236CC2A0.exe