File name:

Muestra R.zip

Full analysis: https://app.any.run/tasks/ee597212-3cd9-453d-a1b9-38b2ced4d359
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: November 11, 2023, 21:46:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5AEECD2BDFE4FF5476B2FDB3DB779C26

SHA1:

589469C74FFB4818352E0E73825389026158F162

SHA256:

82EB2DB0EE08C97125FF0EC21518F14EF42CBDC42CDC6D250A07D38F91D6ABB5

SSDEEP:

98304:rUoJrW6S1AAJSILYhFxklE+SQEWP4K4uyvtwLIAJq8ldE7/ijglq3EqqbWEa7lKR:Bu5xC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • pa4yg3aq2.exe (PID: 2900)
      • pa4yg3aq2.exe (PID: 3604)
      • 7za.exe (PID: 3612)
      • conUpdate.exe (PID: 3912)

    • Known privilege escalation attack

      • dllhost.exe (PID: 3840)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1612)
      • powershell.exe (PID: 712)
      • powershell.exe (PID: 2000)

    • Changes powershell execution policy (Bypass)

      • conUpdate.exe (PID: 3912)

    • UAC/LUA settings modification

      • conUpdate.exe (PID: 3912)

    • Deletes shadow copies

      • conUpdate.exe (PID: 3912)

    • Using BCDEDIT.EXE to modify recovery options

      • conUpdate.exe (PID: 3912)

    • Renames files like ransomware

      • conUpdate.exe (PID: 3912)

    • Actions looks like stealing of personal data

      • conUpdate.exe (PID: 3912)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • pa4yg3aq2.exe (PID: 2900)
      • pa4yg3aq2.exe (PID: 3604)

    • Reads the Internet Settings

      • pa4yg3aq2.exe (PID: 2900)

    • Starts CMD.EXE for commands execution

      • conUpdate.exe (PID: 3912)
      • pa4yg3aq2.exe (PID: 2900)

    • Application launched itself

      • conUpdate.exe (PID: 3912)

    • Creates or modifies Windows services

      • conUpdate.exe (PID: 3912)

    • Starts POWERSHELL.EXE for commands execution

      • conUpdate.exe (PID: 3912)

    • Executing commands from ".cmd" file

      • pa4yg3aq2.exe (PID: 2900)

    • Powershell version downgrade attack

      • powershell.exe (PID: 712)
      • powershell.exe (PID: 2000)
      • powershell.exe (PID: 1612)

    • Uses powercfg.exe to modify the power settings

      • conUpdate.exe (PID: 3912)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2436)
      • vds.exe (PID: 3596)
      • systray.exe (PID: 3688)
      • wbengine.exe (PID: 3508)

    • Starts NET.EXE to map network drives

      • conUpdate.exe (PID: 3912)

    • Creates files like ransomware instruction

      • conUpdate.exe (PID: 3912)

    • Start notepad (likely ransomware note)

      • conUpdate.exe (PID: 3912)

  • INFO

    • Manual execution by a user

      • pa4yg3aq2.exe (PID: 2900)
      • explorer.exe (PID: 3320)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3448)

    • Checks supported languages

      • pa4yg3aq2.exe (PID: 2900)
      • 7za.exe (PID: 3564)
      • pa4yg3aq2.exe (PID: 3604)
      • 7za.exe (PID: 3612)
      • conUpdate.exe (PID: 3724)
      • conUpdate.exe (PID: 4024)
      • Everything.exe (PID: 4060)
      • conUpdate.exe (PID: 4012)
      • Everything.exe (PID: 3540)
      • xdel.exe (PID: 984)
      • xdel.exe (PID: 664)
      • conUpdate.exe (PID: 3912)

    • Create files in a temporary directory

      • pa4yg3aq2.exe (PID: 2900)
      • 7za.exe (PID: 3612)
      • xdel.exe (PID: 984)

    • Reads the computer name

      • 7za.exe (PID: 3564)
      • 7za.exe (PID: 3612)
      • pa4yg3aq2.exe (PID: 3604)
      • pa4yg3aq2.exe (PID: 2900)
      • conUpdate.exe (PID: 3912)
      • conUpdate.exe (PID: 3724)
      • conUpdate.exe (PID: 4012)
      • Everything.exe (PID: 4060)
      • conUpdate.exe (PID: 4024)
      • Everything.exe (PID: 3540)
      • xdel.exe (PID: 984)
      • xdel.exe (PID: 664)

    • Creates files or folders in the user directory

      • pa4yg3aq2.exe (PID: 3604)
      • conUpdate.exe (PID: 3912)
      • Everything.exe (PID: 4060)

    • Checks transactions between databases Windows and Oracle

      • pa4yg3aq2.exe (PID: 3604)

    • Reads the machine GUID from the registry

      • pa4yg3aq2.exe (PID: 3604)
      • conUpdate.exe (PID: 3912)
      • xdel.exe (PID: 984)
      • xdel.exe (PID: 664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:11:09 22:00:50
ZipCRC: 0x329ab2f6
ZipCompressedSize: 2050768
ZipUncompressedSize: 2101416
ZipFileName: pa4yg3aq2.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
46
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs pa4yg3aq2.exe no specs 7za.exe no specs 7za.exe no specs pa4yg3aq2.exe no specs CMSTPLUA no specs conupdate.exe cmd.exe no specs conupdate.exe no specs conupdate.exe no specs conupdate.exe no specs everything.exe no specs cmd.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs everything.exe no specs explorer.exe no specs systray.exe no specs net.exe no specs notepad.exe no specs xdel.exe no specs xdel.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
148powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635cC:\Windows\System32\powercfg.execonUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
664powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0C:\Windows\System32\powercfg.execonUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
664"C:\Users\admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\xdel.exe" -accepteula -p 1 -c Z:\C:\Users\admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\xdel.execonUpdate.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\{d30e6601-c68c-38f9-ff44-7884977cf18d}\xdel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
712powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execonUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
752powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0C:\Windows\System32\powercfg.execonUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
788powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0C:\Windows\System32\powercfg.execonUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
900bcdedit.exe /set {default} recoveryenabled noC:\Windows\System32\bcdedit.execonUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
908powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0C:\Windows\System32\powercfg.execonUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
984"C:\Users\admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\xdel.exe" -accepteula -p 1 -c C:\C:\Users\admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\xdel.execonUpdate.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\{d30e6601-c68c-38f9-ff44-7884977cf18d}\xdel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1236powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61C:\Windows\System32\powercfg.execonUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
8 139
Read events
7 936
Write events
203
Delete events
0

Modification events

(PID) Process:(3448) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2900) pa4yg3aq2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2900) pa4yg3aq2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
30
Suspicious files
762
Text files
438
Unknown types
0

Dropped files

PID
Process
Filename
Type
2900pa4yg3aq2.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything32.dllexecutable
MD5:3B03324537327811BBBAFF4AAFA4D75B
SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880
3604pa4yg3aq2.exeC:\Users\admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\xdel.exeexecutable
MD5:803DF907D936E08FBBD06020C411BE93
SHA256:E8EAA39E2ADFD49AB69D7BB8504CCB82A902C8B48FBC256472F36F41775E594C
36127za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\pa4yg3aq2.exeexecutable
MD5:35B02A5E8FB661526C6FEAB0D48131DC
SHA256:084F828FC318863ADB8DC98D97BC5FD11B5770971AFC97FE3315C3CC348D9A56
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3448.16353\pa4yg3aq2.exeexecutable
MD5:E5E0FA7832B6630D54F99DA00087FFCA
SHA256:BFA636627EA8A5FC3053875E45EEE1C0AE08D442C71CCFB9B672457229895548
36127za.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Everything.initext
MD5:742C2400F2DE964D0CCE4A8DABADD708
SHA256:2FEFB69E4B2310BE5E09D329E8CF1BEBD1F9E18884C8C2A38AF8D7EA46BD5E01
3604pa4yg3aq2.exeC:\Users\admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\Everything2.initext
MD5:51014C0C06ACDD80F9AE4469E7D30A9E
SHA256:89AD2164717BD5F5F93FBB4CEBF0EFEB473097408FDDFC7FC7B924D790514DC5
3604pa4yg3aq2.exeC:\temp\MIMIC_LOG.txttext
MD5:DA017A972CA9709C987496AABADDCBA9
SHA256:17BDAAE4844F7869D5C9D6B1A40648F2BD66248D790B42891077ACA57B208D7D
3604pa4yg3aq2.exeC:\Users\admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\7za.exeexecutable
MD5:B93EB0A48C91A53BDA6A1A074A4B431E
SHA256:AB15A9B27EE2D69A8BC8C8D1F5F40F28CD568F5CBB28D36ED938110203F8D142
1612powershell.exe
MD5:
SHA256:
3604pa4yg3aq2.exeC:\Users\admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\Everything32.dllexecutable
MD5:3B03324537327811BBBAFF4AAFA4D75B
SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
525
DNS requests
0
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
192.168.100.93:49170
unknown
192.168.100.93:49171
unknown
3912
conUpdate.exe
192.168.1.2:445
unknown
192.168.100.93:49173
unknown
192.168.100.93:49174
unknown
192.168.100.93:49175
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
3912
conUpdate.exe
Misc activity
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
3912
conUpdate.exe
Misc activity
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Muestra R.zip