analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe

Full analysis: https://app.any.run/tasks/f8843975-bc2a-4293-8790-1dcf14f50e1d
Verdict: Malicious activity
Threats:

LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.

Malware Trends Tracker     >>>
Analysis date: July 12, 2020, 19:12:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
lockbit
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

35E799C0C2B973E3C021558B4E8C79BB

SHA1:

D7A0A1C6EF79D32F81AD6940242B31B519F46913

SHA256:

80F2904D6B331CF689249DF1C73E25EAF49A60960BCCD46BB4A9816137036146

SSDEEP:

3072:vLkDwmTtinfaDoM1oo+WLMEOig8xNIO54QU+0vf7kJlrbdT031Md3GlWXY:vLk7MTMyoBO3Ff72rbvZGlKY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LOCKBIT was detected

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

    • Changes the autorun value in the registry

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

    • Deletes shadow copies

      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 2776)
      • cmd.exe (PID: 3928)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 2784)
      • cmd.exe (PID: 2340)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 2080)

    • Renames files like Ransomware

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 2036)
      • vds.exe (PID: 3956)
      • wbengine.exe (PID: 2080)

    • Starts CMD.EXE for commands execution

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

    • Executed via COM

      • DllHost.exe (PID: 1696)
      • DllHost.exe (PID: 1916)
      • vdsldr.exe (PID: 1000)

    • Uses WEVTUTIL.EXE to clean Windows Eventlog

      • cmd.exe (PID: 2688)
      • cmd.exe (PID: 3204)
      • cmd.exe (PID: 988)
      • cmd.exe (PID: 2812)
      • cmd.exe (PID: 652)
      • cmd.exe (PID: 3456)

    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 2080)
      • vds.exe (PID: 3956)

    • Creates files in the Windows directory

      • wbadmin.exe (PID: 3992)

    • Executable content was dropped or overwritten

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

    • Changes the desktop background image

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

    • Reads Internet Cache Settings

      • mshta.exe (PID: 1984)
      • mshta.exe (PID: 1756)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

    • Starts CMD.EXE for self-deleting

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

    • Creates files in the program directory

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 1984)
      • mshta.exe (PID: 1756)

    • Manual execution by user

      • mshta.exe (PID: 1756)

    • Dropped object may contain Bitcoin addresses

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)

    • Dropped object may contain TOR URL's

      • Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 1.0.4.4
Copyright: Copyrighd (C) 2020, odfrjv
InternalSurnames: edzgkphvesw.ixe
FileVersionz: 1.2.6.1
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Static library
FileOS: Unknown (0x40304)
FileFlags: Pre-release, Patched
FileFlagsMask: 0x006f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 1.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x5b0c
UninitializedDataSize: -
InitializedDataSize: 8853504
CodeSize: 104960
LinkerVersion: 12
PEType: PE32
TimeStamp: 2019:05:11 11:03:38+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-May-2019 09:03:38
Detected languages:
  • Chinese - PRC
  • Swedish - Finland
FileVersionz: 1.2.6.1
InternalSurnames: edzgkphvesw.ixe
Copyright: Copyrighd (C) 2020, odfrjv
ProductVersion: 1.0.4.4

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 11-May-2019 09:03:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x0086C000
0x00016380
0x00015600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99129
.rdata
0x0001B000
0x00008640
0x00008800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.68293
.data
0x00024000
0x00847828
0x00005800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.45526
.rsrc
0x00883000
0x0000A3F0
0x0000A400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.48961

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.42278
480
UNKNOWN
UNKNOWN
RT_VERSION
2
5.757
1384
UNKNOWN
Swedish - Finland
RT_ICON
3
5.14688
9640
UNKNOWN
Swedish - Finland
RT_ICON
4
6.75868
1128
UNKNOWN
Swedish - Finland
RT_ICON
5
4.94699
3752
UNKNOWN
Swedish - Finland
RT_ICON
6
5.7251
2216
UNKNOWN
Swedish - Finland
RT_ICON
7
5.1288
1384
UNKNOWN
Swedish - Finland
RT_ICON
8
4.94601
9640
UNKNOWN
Swedish - Finland
RT_ICON
9
5.41822
4264
UNKNOWN
Swedish - Finland
RT_ICON
10
5.46054
2440
UNKNOWN
Swedish - Finland
RT_ICON

Imports

KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
55
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start trojan.autorun.ata_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe no specs CMSTPLUA no specs %systemroot%\system32\colorui.dll no specs #LOCKBIT trojan.autorun.ata_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs vssadmin.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs wbadmin.exe no specs cmd.exe no specs wbadmin.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs vssadmin.exe no specs cmd.exe no specs bcdedit.exe no specs wmic.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbadmin.exe no specs wmic.exe no specs wevtutil.exe no specs wevtutil.exe no specs wevtutil.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs mshta.exe no specs cmd.exe no specs ping.exe no specs fsutil.exe no specs mshta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
852"C:\Users\admin\AppData\Local\Temp\Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe" C:\Users\admin\AppData\Local\Temp\Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1696C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1916C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3112"C:\Users\admin\AppData\Local\Temp\Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe" C:\Users\admin\AppData\Local\Temp\Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe
DllHost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
2340"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\System32\cmd.exeTrojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2604vssadmin delete shadows /all /quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2036C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2776/c vssadmin Delete Shadows /All /QuietC:\Windows\system32\cmd.exeTrojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3844/c bcdedit /set {default} recoveryenabled NoC:\Windows\system32\cmd.exeTrojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
892/c bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\cmd.exeTrojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 046
Read events
997
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
13 261
Text files
1 691
Unknown types
383

Dropped files

PID
Process
Filename
Type
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\Benioku.htm.lockbitbinary
MD5:AFFA996C40A078BC4B3A8718ABACCB39
SHA256:AEAB87FAB865921EDC5B20C2E67F057D3746BD23D41E3584A9F34692FC14C3B0
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htm.lockbitbinary
MD5:9E91559C6009B83EFF7A0382E8D280B1
SHA256:2169E46FB9CE27206E62BBC91CD775D0650E4012954FAE9E03C17DB25999159C
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Certificates_R.aapp.lockbitbinary
MD5:786DCD8620C8B633C4AF62A40FEB4ADF
SHA256:77D9361ED88ACF8836ED7F4F7305563D0880795FCE9F940C56FE67BDBFBDCBA8
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\Berime.htm.lockbitbinary
MD5:FD0343650F3132FB3E2AF81973D07E02
SHA256:27DBD6906DB0D6EB476BB4DCBA85774F13062517C4D82CA137B09F23DE38D362
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\Lisezmoi.htm.lockbitbinary
MD5:67ABDA62392469CF37CC461201DE5E17
SHA256:20F926186823BF9605F75082E60927EA3F4D62A21D116A560D5192E891F903FD
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\Restore-My-Files.txttext
MD5:32DB48065B042837E17B56A4F55AEA19
SHA256:1D52866D621E6A58110943C53B44E3687928309D06B5B6C82DEB792BD8A18D7F
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Combine_R_RHP.aapp.lockbitbinary
MD5:2AE5F5FBA9CC7273E1CF1254F6DFF310
SHA256:AAE56ECDBD6A9CFE3F5019F44413BBBC0834A7F54FDFC50AA688239975B78C15
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htm.lockbitbinary
MD5:EBA19FFECB3805F63EA125D169012B25
SHA256:B148E654E2B85386A9BE4BFC4919452811C5B4444E60E9C212A0627E89D97A89
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\LeesMij.htm.lockbitbinary
MD5:AB9BD8876C2BCDE16B871F373C76527C
SHA256:D60FBCF4781F64E4CF54722B8144032634A2D04DE5D4DA9F4F16CC5D39738E96
3112Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exeC:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\EPDF_RHP.aapp.lockbitbinary
MD5:387BC6533B8B0F63F1FAEAB765C9D5B1
SHA256:4385BFACEEDD0F29080F57CA0F84FF3D49C730DAF2CA9E3A6C406F6559A49115
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan.Autorun.ATA_virussign.com_35e799c0c2b973e3c021558b4e8c79bb.exe