Malware analysis encrypter-windows-x86.exe Malicious activity

Add for printing

File name:	encrypter-windows-x86.exe
Full analysis:	https://app.any.run/tasks/854036e4-5de5-4d1e-9bf6-33013e5615d5
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	July 20, 2024, 22:09:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion beast ransomware scan smb
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	2EB4C4496CE075D5885D74D9273D43B9
SHA1:	5E11FDB2D0E0A646EF8A1B29B648EEF2C5B554A2
SHA256:	6718CB66521A678274E5672285BF208EAC375827D622EDCF1FE7EBA7E7AA65E0
SSDEEP:	1536:kY47B7lxE49JjYuQwHFrW+HvXHFbza6V3cYDg:kY4F7lxEYJjYuQwlrZXHFbO6Vl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - encrypter-windows-x86.exe (PID: 1668)
- BEAST mutex has been found
  - encrypter-windows-x86.exe (PID: 1668)
- Attempting to scan the network
  - encrypter-windows-x86.exe (PID: 1668)
- Attempt to connect to SMB server
  - encrypter-windows-x86.exe (PID: 1668)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - encrypter-windows-x86.exe (PID: 1668)
- Checks Windows Trust Settings
  - encrypter-windows-x86.exe (PID: 1668)
- Creates file in the systems drive root
  - encrypter-windows-x86.exe (PID: 1668)
- Checks for external IP
  - encrypter-windows-x86.exe (PID: 1668)
- Potential Corporate Privacy Violation
  - encrypter-windows-x86.exe (PID: 1668)
INFO
- Checks supported languages
  - encrypter-windows-x86.exe (PID: 1668)
- Reads the machine GUID from the registry
  - encrypter-windows-x86.exe (PID: 1668)
- Reads the computer name
  - encrypter-windows-x86.exe (PID: 1668)
- Create files in a temporary directory
  - encrypter-windows-x86.exe (PID: 1668)
- Checks proxy server information
  - encrypter-windows-x86.exe (PID: 1668)
- Reads the software policy settings
  - encrypter-windows-x86.exe (PID: 1668)
- Creates files or folders in the user directory
  - encrypter-windows-x86.exe (PID: 1668)
- Creates files in the program directory
  - encrypter-windows-x86.exe (PID: 1668)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:04:28 09:54:23+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	52736
InitializedDataSize:	33792
UninitializedDataSize:	-
EntryPoint:	0x68d5
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

139

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1668

"C:\Users\admin\AppData\Local\Temp\encrypter-windows-x86.exe"

C:\Users\admin\AppData\Local\Temp\encrypter-windows-x86.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\encrypter-windows-x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

7028

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

4 060

Read events

4 044

Write events

Delete events

Modification events


(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 840600001B69ED8CF1DADA01
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: D678BB57FA5A4324F5E5FB7FD0E5D19115F7D7450A9A39C8B2680222623E6443
(PID) Process:	(1668) encrypter-windows-x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1668	encrypter-windows-x86.exe	C:\Users\admin\AppData\Local\Temp\default.key		binary
		MD5:6B0477C23E5DB4DCE87834666992DBAF	SHA256:06918C0784A7D061AD2CFD4FDF2623429D0B355ED8F42EAC092EBCC52F9230F9
1668	encrypter-windows-x86.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		der
		MD5:7FB5FA1534DCF77F2125B2403B30A0EE	SHA256:33A39E9EC2133230533A686EC43760026E014A3828C703707ACBC150FE40FD6F
1668	encrypter-windows-x86.exe	C:\Users\admin\AppData\Local\VirtualStore\README.TXT		text
		MD5:5CB49C748F3604B342CDD4451C89FF79	SHA256:491639E41D85C8ADB1EEC59A02141ED67E141E73775C3E900E30AD58773691BA
1668	encrypter-windows-x86.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:85D1EB1699CDE6DB8A620895F5FFC682	SHA256:5F8374156F7EC85920967D9CC7B5C27B4AA8621D5516D088CC8264732DB28E02
1668	encrypter-windows-x86.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\README.TXT		text
		MD5:5CB49C748F3604B342CDD4451C89FF79	SHA256:491639E41D85C8ADB1EEC59A02141ED67E141E73775C3E900E30AD58773691BA
1668	encrypter-windows-x86.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:56F029A91A61B9D8F085BB8DC9790914	SHA256:ACA04AA345435040054B08F069E2406C29242DC1EACD86F2850D21B5D742DEF8
1668	encrypter-windows-x86.exe	C:\bootTel.dat		vc
		MD5:933CC8B728059D2C31B241FFA4AC703C	SHA256:F9B38397B61D47221B505A61E4529A300DC4EFE469B60855B7CD3528219800C2
1668	encrypter-windows-x86.exe	C:\ProgramData\README.TXT		text
		MD5:5CB49C748F3604B342CDD4451C89FF79	SHA256:491639E41D85C8ADB1EEC59A02141ED67E141E73775C3E900E30AD58773691BA
1668	encrypter-windows-x86.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		der
		MD5:1BFE0A81DB078EA084FF82FE545176FE	SHA256:5BA8817F13EEE00E75158BAD93076AB474A068C6B52686579E0F728FDA68499F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

293

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1668	encrypter-windows-x86.exe	GET	200	172.217.16.131:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
1668	encrypter-windows-x86.exe	GET	200	172.217.16.131:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4716	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7856	svchost.exe	4.208.221.206:443	licensing.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5620	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1668	encrypter-windows-x86.exe	104.21.82.93:443	iplogger.co	CLOUDFLARENET	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
1668	encrypter-windows-x86.exe	172.217.16.131:80	c.pki.goog	GOOGLE	US	whitelisted
2760	svchost.exe	40.115.3.253:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
8116	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	40.126.31.71 20.190.159.23 40.126.31.73 20.190.159.64 20.190.159.75 40.126.31.69 20.190.159.0 20.190.159.2	whitelisted
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
google.com	142.250.181.238	whitelisted
iplogger.co	104.21.82.93 172.67.167.249	shared
c.pki.goog	172.217.16.131	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
licensing.mp.microsoft.com	4.208.221.206	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted

Threats

PID	Process	Class	Message
1668	encrypter-windows-x86.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Attempting to scan SMB servers inside a home network.

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

encrypter-windows-x86.exe

2EB4C4496CE075D5885D74D9273D43B9

5E11FDB2D0E0A646EF8A1B29B648EEF2C5B554A2

6718CB66521A678274E5672285BF208EAC375827D622EDCF1FE7EBA7E7AA65E0

1536:kY47B7lxE49JjYuQwHFrW+HvXHFbza6V3cYDg:kY4F7lxEYJjYuQwlrZXHFbO6Vl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

BEAST mutex has been found

Attempting to scan the network

Attempt to connect to SMB server

SUSPICIOUS

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Creates file in the systems drive root

Checks for external IP

Potential Corporate Privacy Violation

INFO

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings