File name:

1.exe

Full analysis: https://app.any.run/tasks/649fff18-14f5-4544-8d04-0a981d2e0c79
Verdict: Malicious activity
Analysis date: February 26, 2020, 08:23:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

78177C46AE7665B94DE672FCF0A26D8E

SHA1:

16DBA40C098AD8EA3489C4F0E628A12686656FF8

SHA256:

63D6C419A8229BC7FC2089A2899D27BAC746DE0E96368E2A49D7C7754ABD29F4

SSDEEP:

196608:xe/lwqYS0r1rda1lLnbrG/QeBv0LrtbYPvbJQlH+L8C2fmdkbWCou1C:xe+qYSCk1NPG/QaurkJQlLbWu8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • 1.exe (PID: 2112)

    • Renames files like Ransomware

      • 1.exe (PID: 2112)

  • SUSPICIOUS

    • Creates files like Ransomware instruction

      • 1.exe (PID: 2112)

    • Application launched itself

      • 1.exe (PID: 2312)

    • Loads Python modules

      • 1.exe (PID: 2112)

    • Executable content was dropped or overwritten

      • 1.exe (PID: 2312)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • 1.exe (PID: 2312)
      • 1.exe (PID: 2112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: 0
OSVersion: 5.1
EntryPoint: 0x7cd3
UninitializedDataSize: 0
InitializedDataSize: 173568
CodeSize: 126976
LinkerVersion: 14
PEType: PE32
TimeStamp: 2020:01:05 13:16:35+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Jan-2020 12:16:35

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 05-Jan-2020 12:16:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001EE04
0x0001F000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.64212
.rdata
0x00020000
0x0000B206
0x0000B400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.06574
.data
0x0002C000
0x0000E688
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.92321
.gfids
0x0003B000
0x000000B8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.82374
.rsrc
0x0003C000
0x0000EEC8
0x0000F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.51705
.reloc
0x0004B000
0x000017B4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65769

Resources

Title
Entropy
Size
Codepage
Language
Type
1
6.15653
3752
UNKNOWN
UNKNOWN
RT_ICON
2
6.44895
2216
UNKNOWN
UNKNOWN
RT_ICON
3
5.77742
1384
UNKNOWN
UNKNOWN
RT_ICON
4
7.95095
38188
UNKNOWN
UNKNOWN
RT_ICON
5
6.0521
9640
UNKNOWN
UNKNOWN
RT_ICON
6
6.15081
4264
UNKNOWN
UNKNOWN
RT_ICON
7
6.39466
1128
UNKNOWN
UNKNOWN
RT_ICON
101
2.71858
104
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
WS2_32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1.exe 1.exe

Process information

PID
CMD
Path
Indicators
Parent process
2312"C:\Users\admin\AppData\Local\Temp\1.exe" C:\Users\admin\AppData\Local\Temp\1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2112"C:\Users\admin\AppData\Local\Temp\1.exe" C:\Users\admin\AppData\Local\Temp\1.exe
1.exe
User:
admin
Integrity Level:
MEDIUM
Total events
3
Read events
3
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
19
Text files
923
Unknown types
2

Dropped files

PID
Process
Filename
Type
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_cbc.cp38-win32.pydexecutable
MD5:08669D3DDF33520F19BADB764C43916D
SHA256:CB4939EA07B194494D236E85962F85F5DB3BCC6981C14900B035D6F75D879239
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_aes.cp38-win32.pydexecutable
MD5:9EF3710D7D806FD37F2947D98CB35287
SHA256:F1F7511E0DFE34B4AB228550375CBE529451887F922F28EDFB623B26EE831435
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_chacha20.cp38-win32.pydexecutable
MD5:F4943F0688C88631F3DD6D0B78BA0DF7
SHA256:602C005D7F304334B977D9D634A623053AE171BA93302107E8D7DB7C5C0FF868
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_aesni.cp38-win32.pydexecutable
MD5:5D4983C464870B4AB5F53910D7D75786
SHA256:61F361041D68F991788A4852C3C5CE173A80D2C751ADF9A60C49370F910661AB
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_arc2.cp38-win32.pydexecutable
MD5:98D64F4B5C86A8F07AE8A5A0FA69B646
SHA256:17625DB60AC77117C2AB44872EEB10B44276E0454AE6B821B0F73532F5601CEC
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_Salsa20.cp38-win32.pydexecutable
MD5:BC15AECE0BD2A2DFE022903D9AE54B23
SHA256:946824DC1B7DAD9EBA15CE16705331AA928D1AFDB17C75CA296996C3D4CE3601
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_cfb.cp38-win32.pydexecutable
MD5:77EC43FAFC51D6E05AF9E12AD792E16B
SHA256:C9C49B6D1421CFE0C769F2125351869FD9D6FE0F6818E44980F563D46DD3AEED
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_ctr.cp38-win32.pydexecutable
MD5:E7243BBBBCEF13B59C97383BB93C8A76
SHA256:7A5F4944530AE2B9548BCE203B84D96A73AE0EBEDE152219417213A485FEC393
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_raw_cast.cp38-win32.pydexecutable
MD5:4509168BFC9809F1CC481D6381647FA9
SHA256:8055ECABEC37BAE40DF3ABF3CAB314CFAF872674FE112F3BADB6B6EB5EF64D38
23121.exeC:\Users\admin\AppData\Local\Temp\_MEI23122\Crypto\Cipher\_ARC4.cp38-win32.pydexecutable
MD5:D687782904E00EEE781835A17F3CCA05
SHA256:CE25534B9FE88E00783590A833E81A85E22480505D548191CDA6E7773591BA9F