analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9882c2f5a95d7680626470f6c0d3609c7590eb552065f81ab41ffe074ea74e82.zip

Full analysis: https://app.any.run/tasks/16f850d7-958f-43b1-a360-fa004acaa115
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 05:48:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

656AFE2A9A9B11A183D177C537E5D93F

SHA1:

55B0CAD83B13B5A8B8D8BAE00BB5FBD5524B2D13

SHA256:

643E146E212A88DD5CBEC26F61533D1951705B8F38EF817FB48B70F695587CAC

SSDEEP:

6144:iQo06nXgOZp4KGU97QwF28siFA1abCC0Zp90dt7PANMRUxkZvh:o0uZSKGY7siFA1abC+VANMqxc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • powershell.exe (PID: 944)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 944)

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 944)

    • Creates files in the program directory

      • powershell.exe (PID: 944)

    • Creates files in the user directory

      • powershell.exe (PID: 944)

    • Reads the cookies of Mozilla Firefox

      • powershell.exe (PID: 944)

    • Creates files like Ransomware instruction

      • powershell.exe (PID: 944)

  • INFO

    • Manual execution by user

      • powershell.exe (PID: 944)
      • NOTEPAD.EXE (PID: 2204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 9882c2f5a95d7680626470f6c0d3609c7590eb552065f81ab41ffe074ea74e82.ps1
ZipUncompressedSize: 552073
ZipCompressedSize: 294672
ZipCRC: 0x7452a814
ZipModifyDate: 2020:09:30 05:30:17
ZipCompression: Unknown (99)
ZipBitFlag: 0x0003
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs powershell.exe csc.exe cvtres.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2436"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\9882c2f5a95d7680626470f6c0d3609c7590eb552065f81ab41ffe074ea74e82.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
944"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\9882c2f5a95d7680626470f6c0d3609c7590eb552065f81ab41ffe074ea74e82.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2948"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\egpxc4ln.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
936C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES19B4.tmp" "c:\Users\admin\AppData\Local\Temp\CSC19B3.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
2204"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Pictures\!!FAQ for Decryption!!.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
713
Read events
632
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
190
Unknown types
0

Dropped files

PID
Process
Filename
Type
944powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QXI7GIBL1GH3KD33JW0B.temp
MD5:
SHA256:
944powershell.exeC:\Users\admin\AppData\Local\Temp\egpxc4ln.0.cs
MD5:
SHA256:
944powershell.exeC:\Users\admin\AppData\Local\Temp\egpxc4ln.cmdline
MD5:
SHA256:
2948csc.exeC:\Users\admin\AppData\Local\Temp\CSC19B3.tmp
MD5:
SHA256:
2948csc.exeC:\Users\admin\AppData\Local\Temp\egpxc4ln.pdb
MD5:
SHA256:
936cvtres.exeC:\Users\admin\AppData\Local\Temp\RES19B4.tmp
MD5:
SHA256:
2948csc.exeC:\Users\admin\AppData\Local\Temp\egpxc4ln.dll
MD5:
SHA256:
2948csc.exeC:\Users\admin\AppData\Local\Temp\egpxc4ln.out
MD5:
SHA256:
944powershell.exeC:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf
MD5:
SHA256:
944powershell.exeVolume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf.cuba
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
9882c2f5a95d7680626470f6c0d3609c7590eb552065f81ab41ffe074ea74e82.zip