analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.exe

Full analysis: https://app.any.run/tasks/649fff18-14f5-4544-8d04-0a981d2e0c79
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: February 26, 2020, 08:23:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

78177C46AE7665B94DE672FCF0A26D8E

SHA1:

16DBA40C098AD8EA3489C4F0E628A12686656FF8

SHA256:

63D6C419A8229BC7FC2089A2899D27BAC746DE0E96368E2A49D7C7754ABD29F4

SSDEEP:

196608:xe/lwqYS0r1rda1lLnbrG/QeBv0LrtbYPvbJQlH+L8C2fmdkbWCou1C:xe+qYSCk1NPG/QaurkJQlLbWu8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • 1.exe (PID: 2112)
    • Renames files like Ransomware

      • 1.exe (PID: 2112)
  • SUSPICIOUS

    • Loads Python modules

      • 1.exe (PID: 2112)
    • Creates files like Ransomware instruction

      • 1.exe (PID: 2112)
    • Application launched itself

      • 1.exe (PID: 2312)
    • Executable content was dropped or overwritten

      • 1.exe (PID: 2312)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • 1.exe (PID: 2112)
      • 1.exe (PID: 2312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x7cd3
UninitializedDataSize: -
InitializedDataSize: 173568
CodeSize: 126976
LinkerVersion: 14
PEType: PE32
TimeStamp: 2020:01:05 13:16:35+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Jan-2020 12:16:35

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 05-Jan-2020 12:16:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001EE04
0x0001F000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.64212
.rdata
0x00020000
0x0000B206
0x0000B400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.06574
.data
0x0002C000
0x0000E688
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.92321
.gfids
0x0003B000
0x000000B8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.82374
.rsrc
0x0003C000
0x0000EEC8
0x0000F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.51705
.reloc
0x0004B000
0x000017B4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65769

Resources

Title
Entropy
Size
Codepage
Language
Type
1
6.15653
3752
UNKNOWN
UNKNOWN
RT_ICON
2
6.44895
2216
UNKNOWN
UNKNOWN
RT_ICON
3
5.77742
1384
UNKNOWN
UNKNOWN
RT_ICON
4
7.95095
38188
UNKNOWN
UNKNOWN
RT_ICON
5
6.0521
9640
UNKNOWN
UNKNOWN
RT_ICON
6
6.15081
4264
UNKNOWN
UNKNOWN
RT_ICON
7
6.39466
1128
UNKNOWN
UNKNOWN
RT_ICON
101
2.71858
104
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
WS2_32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1.exe 1.exe

Process information

PID
CMD
Path
Indicators
Parent process
2312"C:\Users\admin\AppData\Local\Temp\1.exe" C:\Users\admin\AppData\Local\Temp\1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
2112"C:\Users\admin\AppData\Local\Temp\1.exe" C:\Users\admin\AppData\Local\Temp\1.exe
1.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
3
Read events
3
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
19
Text files
923
Unknown types
2

Dropped files

PID
Process
Filename
Type
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_cfb.cp38-win32.pydexecutable
MD5:77EC43FAFC51D6E05AF9E12AD792E16B
SHA256:C9C49B6D1421CFE0C769F2125351869FD9D6FE0F6818E44980F563D46DD3AEED
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_blowfish.cp38-win32.pydexecutable
MD5:369E950192454B6C23A2ED8FB46026E9
SHA256:7718655260DE4AE6B7489D9835242240F89E3F0657948E87CDFF62DDB756B353
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_Salsa20.cp38-win32.pydexecutable
MD5:BC15AECE0BD2A2DFE022903D9AE54B23
SHA256:946824DC1B7DAD9EBA15CE16705331AA928D1AFDB17C75CA296996C3D4CE3601
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_ocb.cp38-win32.pydexecutable
MD5:7C565D5CF0D775B078BD1BF1D125DD9E
SHA256:02206348D6EF7C1F20FC3A74375C7722A4D55396E3F5D9C81DD5743E6534EBCD
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_cast.cp38-win32.pydexecutable
MD5:4509168BFC9809F1CC481D6381647FA9
SHA256:8055ECABEC37BAE40DF3ABF3CAB314CFAF872674FE112F3BADB6B6EB5EF64D38
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_aesni.cp38-win32.pydexecutable
MD5:5D4983C464870B4AB5F53910D7D75786
SHA256:61F361041D68F991788A4852C3C5CE173A80D2C751ADF9A60C49370F910661AB
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_chacha20.cp38-win32.pydexecutable
MD5:F4943F0688C88631F3DD6D0B78BA0DF7
SHA256:602C005D7F304334B977D9D634A623053AE171BA93302107E8D7DB7C5C0FF868
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Hash\_MD2.cp38-win32.pydexecutable
MD5:7EE852BA078071A6793B69B6F010C208
SHA256:392099BD41099D7A3F844BC038E2673670B6281ADABEFE6B138E2CFC9CB539B1
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Hash\_BLAKE2s.cp38-win32.pydexecutable
MD5:EEF4765E41452B0F901A88ACEDFEB4FE
SHA256:36BC4A88DEDE0488857A5E735AD7565691A2D23D0013AACE4D0999AFDEDEB9DB
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_ARC4.cp38-win32.pydexecutable
MD5:D687782904E00EEE781835A17F3CCA05
SHA256:CE25534B9FE88E00783590A833E81A85E22480505D548191CDA6E7773591BA9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2112
1.exe
198.13.49.179:8989
US
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info