File name:

Ransomware.XData.zip

Full analysis: https://app.any.run/tasks/0b865d87-f7cf-4212-a568-6d24dc5c07b9
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 09:40:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
stealer
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:

1F73D8A54AA818CFE2596AB397B5A613

SHA1:

BF1BF47A36649AB60F366A90E745542905BD313F

SHA256:

8699BBEE0650967CA278C91231117808751EAB8F22835A3DAAA652CDFF17DD92

SSDEEP:

3072:ABWpJUaw8eaQwMBqxxMDVx/hVK3CVxQOW4ILv5Z2bsGgchRMm7xl+6mGvVG:ABgUawcQRVx/JoebsGgchRz+6PM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • Ransom (17.06.05) .exe (PID: 6428)

    • Generic archive extractor

      • WinRAR.exe (PID: 6268)

    • RANSOMWARE has been detected

      • Ransom (17.06.05) .exe (PID: 6428)

    • Renames files like ransomware

      • Ransom (17.06.05) .exe (PID: 6428)

    • Actions looks like stealing of personal data

      • Ransom (17.06.05) .exe (PID: 6428)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • Ransom (17.06.05) .exe (PID: 6428)

    • Reads the date of Windows installation

      • Ransom (17.06.05) .exe (PID: 6428)
      • SearchApp.exe (PID: 6692)

    • Write to the desktop.ini file (may be used to cloak folders)

      • Ransom (17.06.05) .exe (PID: 6428)

  • INFO

    • Creates files or folders in the user directory

      • Ransom (17.06.05) .exe (PID: 6428)

    • Manual execution by a user

      • Ransom (17.06.05) .exe (PID: 6428)

    • Checks supported languages

      • Ransom (17.06.05) .exe (PID: 6428)
      • SearchApp.exe (PID: 6692)

    • Reads the machine GUID from the registry

      • Ransom (17.06.05) .exe (PID: 6428)
      • SearchApp.exe (PID: 6692)

    • Reads the computer name

      • Ransom (17.06.05) .exe (PID: 6428)
      • SearchApp.exe (PID: 6692)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6268)

    • Creates files in the program directory

      • Ransom (17.06.05) .exe (PID: 6428)

    • Reads the software policy settings

      • SearchApp.exe (PID: 6692)

    • Process checks computer location settings

      • SearchApp.exe (PID: 6692)

    • Checks proxy server information

      • SearchApp.exe (PID: 6692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Ransom (17.06.05) .exe
ZipUncompressedSize: 78848
ZipCompressedSize: 37064
ZipCRC: 0x136ef64a
ZipModifyDate: 2017:06:05 15:09:08
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs THREAT ransom (17.06.05) .exe searchapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
6268"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Ransomware.XData.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6428"C:\Users\admin\Desktop\Ransom (17.06.05) .exe" C:\Users\admin\Desktop\Ransom (17.06.05) .exe
explorer.exe
User:
admin
Company:
ACAPsoft
Integrity Level:
MEDIUM
Description:
Install Automator
Version:
0.892
Modules
Images
c:\users\admin\desktop\ransom (17.06.05) .exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6692"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wincorlib.dll
Total events
9 758
Read events
9 687
Write events
69
Delete events
2

Modification events

(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Ransomware.XData.zip
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
(PID) Process:(6268) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
7
Suspicious files
3 329
Text files
1 572
Unknown types
4

Dropped files

PID
Process
Filename
Type
6428Ransom (17.06.05) .exeC:\Users\admin\Desktop\DESKTOP-JGLLJLD#1DB6A426DF35EA7FFBBD3191E482BA79-#-2024121494033-25.key.~xdata~binary
MD5:92F25A7EE131367239D9355A82150FDC
SHA256:1B07400BB4C1304C4540C013CC43481E8CA093AA7E1814EB48188CD4827304E0
6428Ransom (17.06.05) .exeC:\ProgramData\DESKTOP-JGLLJLD#1DB6A426DF35EA7FFBBD3191E482BA79-#-2024121494033-25.keybinary
MD5:A1649D8E1B4DB7187FADA527F5525E86
SHA256:B4F373A700CCBB8755C94CFF8B6EEEB9AFD75FCD723F29F24B3115BE4162FD1B
6428Ransom (17.06.05) .exeC:\ProgramData\DESKTOP-JGLLJLD#1DB6A426DF35EA7FFBBD3191E482BA79-#-2024121494033-25.key.~xdata~binary
MD5:92F25A7EE131367239D9355A82150FDC
SHA256:1B07400BB4C1304C4540C013CC43481E8CA093AA7E1814EB48188CD4827304E0
6428Ransom (17.06.05) .exeC:\Users\Public\Libraries\desktop.ini.~xdata~binary
MD5:0B0FB7AE06F40EC4536512DAC33956F7
SHA256:9B6E715F6D669683D94F56E36E294FA8C61A3D3978CFBE72C39C995AE5435D2D
6428Ransom (17.06.05) .exeC:\Users\Public\Downloads\desktop.ini.~xdata~binary
MD5:25E62CD2204FE779E7E9CE7F1B18F4E0
SHA256:562599F9B076CBF94333F2FFCE12F26760947B79C57D90F300A24D715311B4B5
6428Ransom (17.06.05) .exeC:\Users\Public\Music\desktop.ini.~xdata~binary
MD5:6A99B4B818AC052AA700973263BBBEB3
SHA256:D96C883338EFB272362075EFB1EB227C76E134D13450F6D096C49AB3A3DC5224
6428Ransom (17.06.05) .exeC:\bootTel.datbinary
MD5:FD057DA5370C3D837FEDBC0D496ABB95
SHA256:52860EFC983A48767AA9C0C8FFDB889702A5F57DC89A93B01F28F6D8AF1FAFD2
6428Ransom (17.06.05) .exeC:\Users\Public\Libraries\RecordedTV.library-ms.~xdata~binary
MD5:FC8E0F9A7C4C39B38B02BC9E0209B9F6
SHA256:F1E1F0668CE051E28A98C8729B793FF79CA1F8E9D452D228281A4CEED7CF0711
6428Ransom (17.06.05) .exeC:\Users\Public\Music\HOW_CAN_I_DECRYPT_MY_FILES.txttext
MD5:DDADA6F30DB34979717F755A20121B98
SHA256:342509C2462A85FBFFAA0B6FC2F69A74EFFA68CBD982DDE9259D58091B240BB5
6428Ransom (17.06.05) .exeC:\Users\Public\HOW_CAN_I_DECRYPT_MY_FILES.txttext
MD5:DDADA6F30DB34979717F755A20121B98
SHA256:342509C2462A85FBFFAA0B6FC2F69A74EFFA68CBD982DDE9259D58091B240BB5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.126.37.129:443
https://r.bing.com/rp/0u2b9EXo8LdXut1MFm4AD0phBuM.br.js
unknown
GET
200
104.126.37.131:443
https://r.bing.com/rp/76h-lqe82bg-bnu-ApkwUALogkQ.br.js
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
204
104.126.37.185:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
104.126.37.131:443
https://r.bing.com/rb/19/cir3,ortl,cc,nc/dg0bEoz0nxScOpJJ_JI0IxFBuTs.css?bu=CIADWu4CyAH0AW5uiwM&or=w
unknown
text
5.99 Kb
whitelisted
GET
200
104.126.37.178:443
https://r.bing.com/rb/3D/ortl,cc,nc/AptopUBu7_oVDubJxwvaIprW-lI.css?bu=A4gCjAKPAg&or=w
unknown
text
15.5 Kb
whitelisted
GET
200
104.126.37.130:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.37 Kb
whitelisted
GET
200
104.126.37.186:443
https://r.bing.com/rp/Cj4mQnDN_eMyYEqsEbjRrJ2Ttec.br.js
unknown
GET
200
104.126.37.137:443
https://r.bing.com/rp/-iNIzuEypRdgRJ6xnyVHizZ3bpM.br.js
unknown
binary
17.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6692
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6692
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.162
  • 104.126.37.123
  • 104.126.37.145
  • 104.126.37.178
  • 104.126.37.144
  • 104.126.37.161
  • 104.126.37.177
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.137
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
r.bing.com
  • 104.126.37.123
  • 104.126.37.131
  • 104.126.37.178
  • 104.126.37.186
  • 104.126.37.185
  • 104.126.37.136
  • 104.126.37.137
  • 104.126.37.129
  • 104.126.37.144
whitelisted
self.events.data.microsoft.com
  • 40.74.98.195
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Ransomware.XData.zip