analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sd.zip

Full analysis: https://app.any.run/tasks/12822def-1322-43c0-9de2-7873380ceb9e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: August 12, 2022, 16:22:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
hildacrypt
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B85E1931DDBED7D63518391003F7C8A7

SHA1:

C216F1A7B9F56BE969C92B083931EDDF3B1F48F1

SHA256:

723FEC26C99A4FC7CCE0732785C0B6752F37A469C4B9EDAC9907A8CC8AF207C7

SSDEEP:

98304:kAbcQ+6xTqgPoDXdvgcnIZihO8qTaL9jbxvnVsYO/GYm9wMGJx2R8CqP:kAgrk5oDtZIwhtLNt4f2GJE2P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3360)
      • stub-compressed.exe (PID: 3152)
      • stub-obf.exe (PID: 3652)
      • enc30.exe (PID: 4040)
      • enc.exe (PID: 4024)

    • Application was dropped or rewritten from another process

      • stub-compressed.exe (PID: 3152)
      • enc30.exe (PID: 4040)
      • stub-obf.exe (PID: 3652)
      • enc.exe (PID: 4024)

    • Changes the autorun value in the registry

      • enc.exe (PID: 4024)

    • Writes to a start menu file

      • enc.exe (PID: 4024)

    • Steals credentials from Web Browsers

      • enc.exe (PID: 4024)

    • Actions looks like stealing of personal data

      • enc.exe (PID: 4024)

    • Modifies files in Chrome extension folder

      • enc.exe (PID: 4024)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3360)
      • stub-compressed.exe (PID: 3152)
      • stub-obf.exe (PID: 3652)
      • enc.exe (PID: 4024)
      • enc30.exe (PID: 4040)
      • WMIC.exe (PID: 3368)

    • Checks supported languages

      • WinRAR.exe (PID: 3360)
      • stub-compressed.exe (PID: 3152)
      • enc30.exe (PID: 4040)
      • stub-obf.exe (PID: 3652)
      • enc.exe (PID: 4024)
      • cmd.exe (PID: 3048)
      • WMIC.exe (PID: 3368)
      • cmd.exe (PID: 3928)
      • cmd.exe (PID: 416)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3360)
      • stub-compressed.exe (PID: 3152)
      • stub-obf.exe (PID: 3652)
      • enc30.exe (PID: 4040)
      • enc.exe (PID: 4024)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3360)
      • stub-compressed.exe (PID: 3152)
      • stub-obf.exe (PID: 3652)
      • enc30.exe (PID: 4040)
      • enc.exe (PID: 4024)

    • Creates files in the program directory

      • enc.exe (PID: 4024)

    • Changes default file association

      • enc.exe (PID: 4024)

  • INFO

    • Manual execution by user

      • stub-compressed.exe (PID: 3152)

    • Checks supported languages

      • vssadmin.exe (PID: 3108)
      • bcdedit.exe (PID: 1712)
      • bcdedit.exe (PID: 2164)
      • wbadmin.exe (PID: 1164)

    • Reads the computer name

      • wbadmin.exe (PID: 1164)
      • vssadmin.exe (PID: 3108)

    • Dropped object may contain URL to Tor Browser

      • enc.exe (PID: 4024)

    • Dropped object may contain TOR URL's

      • enc.exe (PID: 4024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: stub-compressed.exe
ZipUncompressedSize: 4369408
ZipCompressedSize: 4367134
ZipCRC: 0x900ea696
ZipModifyDate: 2022:08:12 18:21:14
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
13
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe stub-compressed.exe stub-obf.exe enc30.exe enc.exe cmd.exe no specs vssadmin.exe no specs wmic.exe no specs cmd.exe no specs bcdedit.exe no specs bcdedit.exe no specs cmd.exe no specs wbadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3360"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sd.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3152"C:\Users\admin\Desktop\stub-compressed.exe" C:\Users\admin\Desktop\stub-compressed.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
3652"C:\Users\admin\AppData\Local\Temp\stub-obf.exe" C:\Users\admin\AppData\Local\Temp\stub-obf.exe
stub-compressed.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4040"C:\Users\admin\AppData\Local\Temp\enc30.exe" C:\Users\admin\AppData\Local\Temp\enc30.exe
stub-obf.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
4024"C:\Users\admin\AppData\Local\Temp\enc.exe" C:\Users\admin\AppData\Local\Temp\enc.exe
enc30.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Solidbit
Version:
1.0.0.0
3048"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteC:\Windows\System32\cmd.exeenc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2147749908
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3108vssadmin delete shadows /all /quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3368wmic shadowcopy deleteC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3928"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Windows\System32\cmd.exeenc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2164bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Boot Configuration Data Editor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
9 075
Read events
9 018
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
556
Text files
398
Unknown types
8

Dropped files

PID
Process
Filename
Type
4024enc.exeC:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RESTORE-MY-FILES.txttext
MD5:AD1DACA762646B2CC1AC56FCBB0F335D
SHA256:F3D7447A2D5E50E770C1E980FBB9C81763E73F933FB92B92BEEC596E2A91C65F
4024enc.exeC:\Users\Public\RESTORE-MY-FILES.txttext
MD5:AD1DACA762646B2CC1AC56FCBB0F335D
SHA256:F3D7447A2D5E50E770C1E980FBB9C81763E73F933FB92B92BEEC596E2A91C65F
4024enc.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\RESTORE-MY-FILES.txttext
MD5:AD1DACA762646B2CC1AC56FCBB0F335D
SHA256:F3D7447A2D5E50E770C1E980FBB9C81763E73F933FB92B92BEEC596E2A91C65F
3652stub-obf.exeC:\Users\admin\AppData\Local\Temp\steal.exeexecutable
MD5:5752FEB84BEF81E909D52F796CF8C841
SHA256:58FBC2D79DD04087E12D742A0DBEC9A09CEF8B8C75874FE54A78AA7E2402272D
4024enc.exeC:\Users\Public\Downloads\RESTORE-MY-FILES.txttext
MD5:AD1DACA762646B2CC1AC56FCBB0F335D
SHA256:F3D7447A2D5E50E770C1E980FBB9C81763E73F933FB92B92BEEC596E2A91C65F
3652stub-obf.exeC:\Users\admin\AppData\Local\Temp\enc30.exeexecutable
MD5:BD186417803D0B55EAA80C491AD046CC
SHA256:A21B26403B45B181B53BE94A8142716632C4DDE6DA84A68518150E39C5861C18
4024enc.exeC:\Users\admin\AppData\Local\VirtualStore\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\RESTORE-MY-FILES.txttext
MD5:AD1DACA762646B2CC1AC56FCBB0F335D
SHA256:F3D7447A2D5E50E770C1E980FBB9C81763E73F933FB92B92BEEC596E2A91C65F
4024enc.exeC:\Users\admin\RESTORE-MY-FILES.txttext
MD5:AD1DACA762646B2CC1AC56FCBB0F335D
SHA256:F3D7447A2D5E50E770C1E980FBB9C81763E73F933FB92B92BEEC596E2A91C65F
4024enc.exeC:\Users\Public\Music\Sample Music\RESTORE-MY-FILES.txttext
MD5:AD1DACA762646B2CC1AC56FCBB0F335D
SHA256:F3D7447A2D5E50E770C1E980FBB9C81763E73F933FB92B92BEEC596E2A91C65F
4024enc.exeC:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\RESTORE-MY-FILES.txttext
MD5:AD1DACA762646B2CC1AC56FCBB0F335D
SHA256:F3D7447A2D5E50E770C1E980FBB9C81763E73F933FB92B92BEEC596E2A91C65F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sd.zip