analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.zip

Full analysis: https://app.any.run/tasks/c0ad7db4-352f-4727-94e7-f2471454b2a3
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: May 20, 2022, 19:39:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ransomware
m461c14n
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

EE983997F7D56F648C1EF525D1CE2309

SHA1:

8C4A5D40668AA9187EBEFF444EEBF754F7F2389E

SHA256:

69122F465C5BB5529D0141E6D6351A1F4485C76357FC07147BD2AE87E3609D92

SSDEEP:

6144:nrEquZ2G1y3+ofGPl5bpoJ1LOUVqhEzROxHb5eh+tdFG6mIYcmiU4S0k:noM3SPnNUVqheIx1e16mpD0k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2800)
    • Application was dropped or rewritten from another process

      • 51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe (PID: 3160)
    • M461C14N was detected

      • 51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe (PID: 3160)
    • Connects to CnC server

      • 51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe (PID: 3160)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2800)
      • 51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe (PID: 3160)
    • Checks supported languages

      • WinRAR.exe (PID: 2800)
      • 51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe (PID: 3160)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2800)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2800)
  • INFO

    • Manual execution by user

      • 51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe (PID: 3160)
      • WINWORD.EXE (PID: 1824)
    • Checks supported languages

      • WINWORD.EXE (PID: 1824)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1824)
    • Reads the computer name

      • WINWORD.EXE (PID: 1824)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe
ZipUncompressedSize: 1128448
ZipCompressedSize: 323568
ZipCRC: 0x4025bf69
ZipModifyDate: 2022:05:20 19:38:15
ZipCompression: Unknown (99)
ZipBitFlag: 0x0003
ZipRequiredVersion: 51
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe #M461C14N 51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2800"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3160"C:\Users\admin\Desktop\51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe" C:\Users\admin\Desktop\51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1824"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\decstructure.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\gdi32.dll
Total events
2 941
Read events
2 666
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
1
Unknown types
6

Dropped files

PID
Process
Filename
Type
1824WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR280C.tmp.cvr
MD5:
SHA256:
1824WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{948AD1D8-2F40-439B-8D1D-A445C4C9E450}.tmpdbf
MD5:43D563E190660DAF9DBE88537C7C79B5
SHA256:8E4DC035763ECA125C096F1C9B00443B985E657EA88F03C79EFBE799EA98E2FC
2800WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2800.24696\51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exeexecutable
MD5:63310D6D463048C9EB6A79ADC6094047
SHA256:51BDE9E90C740DD15CA5F289BB893689F90DE2AE542B7F140E5334FF7F4768E8
1824WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:FA49BBD1697685A1B2BC7CCD19096CEC
SHA256:284372094EF46915B48E151A308F4469319477F65AF72D2499463BB76AB3391D
1824WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\decstructure.rtf.LNKlnk
MD5:96879FC6A2FF07609A5362A0D223DCB1
SHA256:D4BE1C20FD334601FFD1D9BFFEC5BD3DF8B36CA9D0A8E08EDC72828CB797223A
1824WINWORD.EXEC:\Users\admin\Desktop\~$cstructure.rtfpgc
MD5:EDF87BDD19333623D329F56F1675419E
SHA256:24E01BF28A433BA5E1446793311B9D002CD80489C684461C55AB3978B4CD3BD1
1824WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:5156954C7BF255BDA716894B8CC26006
SHA256:5C0CDF8A72BDBAEA912C4631AF8DB454094BD54DA24C19BD3889E318E7A077F4
1824WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{354E08F6-1604-404F-BB14-70A9B4FB6C64}.tmpbinary
MD5:CA7242560EC8A7ED01BEB88E49392FDC
SHA256:A7C7A2CB5811908308F40390EAC533127281915FA40B6D93F84AC2B80DD50868
1824WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2BFA8DF0-BC1C-4ACF-9F46-73832281EC76}.tmpsmt
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3160
51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe
GET
301
151.101.112.193:80
http://i.imgur.com/ZpOkZ5g.jpg
US
shared
3160
51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe
POST
404
35.173.69.207:80
http://preonlinetest.pythonanywhere.com/setup?c=User-PC&u=admin&p=VXNlci1QQ2FkbWluBTVWfH4iZhc8AlRZNxgrLhNZIjsxMUEURHUED0ZlPyo=
US
html
2.85 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3160
51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe
151.101.112.193:80
i.imgur.com
Fastly
US
malicious
3160
51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe
35.173.69.207:80
preonlinetest.pythonanywhere.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
preonlinetest.pythonanywhere.com
  • 35.173.69.207
malicious
i.imgur.com
  • 151.101.112.193
shared

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
AV POLICY PythonAnywhere Observed DNS Query
3160
51bde9e90c740dd15ca5f289bb893689f90de2ae542b7f140e5334ff7f4768e8.exe
A Network Trojan was detected
ET TROJAN Magician/M461c14n Ransomware CnC Checkin
1 ETPRO signatures available at the full report
No debug info