analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SPAM2.zip

Full analysis: https://app.any.run/tasks/c0ef9114-89f1-41b6-b4f3-aefc20464183
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: March 22, 2019, 13:59:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
ransomware
gandcrab
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8B0A34A4E85C7BF0FEA3CA339D7A947E

SHA1:

CB08899315BB2272807D2F6D28037D28145B6673

SHA256:

71148F8DBE96D81653029E6AF3CBEFDC72FE8702CEB9590C1313617C23D57FEA

SSDEEP:

6144:RHaNlc0yOzcXx/MS67uiTcSiHaNlc0yOzcXx/MS67uiTcSL:4yO6BiYStyO6BiYSL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ransom1.exe (PID: 1216)

    • Renames files like Ransomware

      • ransom1.exe (PID: 1216)

    • Writes file to Word startup folder

      • ransom1.exe (PID: 1216)

    • Dropped file may contain instructions of ransomware

      • ransom1.exe (PID: 1216)

    • Deletes shadow copies

      • cmd.exe (PID: 2116)

    • Changes settings of System certificates

      • ransom1.exe (PID: 1216)

    • GANDCRAB detected

      • ransom1.exe (PID: 1216)

  • SUSPICIOUS

    • Creates files in the program directory

      • ransom1.exe (PID: 1216)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1844)

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 1844)

    • Starts CMD.EXE for commands execution

      • ransom1.exe (PID: 1216)

    • Creates files in the user directory

      • ransom1.exe (PID: 1216)

  • INFO

    • Dropped object may contain TOR URL's

      • ransom1.exe (PID: 1216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: ransom1.exe
ZipUncompressedSize: 165376
ZipCompressedSize: 155936
ZipCRC: 0x7987d9b9
ZipModifyDate: 2019:03:22 09:37:14
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe #GANDCRAB ransom1.exe cmd.exe no specs vssadmin.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1844"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1216"C:\Users\admin\AppData\Local\Temp\Rar$EXa1844.23574\ransom1.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1844.23574\ransom1.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
2116"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quietC:\Windows\SysWOW64\cmd.exeransom1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2624vssadmin delete shadows /all /quietC:\Windows\SysWOW64\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2436"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\UPZRMU-MANUAL.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
597
Read events
541
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2 208
Text files
218
Unknown types
66

Dropped files

PID
Process
Filename
Type
1216ransom1.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
1216ransom1.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData
MD5:
SHA256:
1216ransom1.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
MD5:
SHA256:
1216ransom1.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.upzrmubinary
MD5:D308C68A6848B2C297EE6D40DD881D97
SHA256:A1D6ECAC3B86F97AE9370C286E3EE3D418C5093D6EDB3AC89B150CD4A71B57F8
1216ransom1.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata
MD5:
SHA256:
1216ransom1.exeC:\Users\admin\AppData\UPZRMU-MANUAL.txttext
MD5:617BBD3453ED7423FB405F052AE8541C
SHA256:94FC0287D68F44C95A410DEE19F7B027719BD43C29DFB967E2B61AE44B603F20
1216ransom1.exeC:\Users\admin\.oracle_jre_usage\UPZRMU-MANUAL.txttext
MD5:617BBD3453ED7423FB405F052AE8541C
SHA256:94FC0287D68F44C95A410DEE19F7B027719BD43C29DFB967E2B61AE44B603F20
1216ransom1.exeC:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\UPZRMU-MANUAL.txttext
MD5:617BBD3453ED7423FB405F052AE8541C
SHA256:94FC0287D68F44C95A410DEE19F7B027719BD43C29DFB967E2B61AE44B603F20
1216ransom1.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files (x86)\UPZRMU-MANUAL.txttext
MD5:617BBD3453ED7423FB405F052AE8541C
SHA256:94FC0287D68F44C95A410DEE19F7B027719BD43C29DFB967E2B61AE44B603F20
1216ransom1.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\UPZRMU-MANUAL.txttext
MD5:617BBD3453ED7423FB405F052AE8541C
SHA256:94FC0287D68F44C95A410DEE19F7B027719BD43C29DFB967E2B61AE44B603F20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1216
ransom1.exe
POST
404
107.173.49.208:443
https://www.kakaocorp.link/content/graphic/kathzu.bmp
US
html
603 b
malicious
1216
ransom1.exe
GET
301
107.173.49.208:80
http://www.kakaocorp.link/
US
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1216
ransom1.exe
107.173.49.208:443
www.kakaocorp.link
ColoCrossing
US
malicious
1216
ransom1.exe
107.173.49.208:80
www.kakaocorp.link
ColoCrossing
US
malicious

DNS requests

Domain
IP
Reputation
www.kakaocorp.link
  • 107.173.49.208
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SPAM2.zip