File name:

svcPrvinit.bin.zip

Full analysis: https://app.any.run/tasks/00136460-12f0-4f3e-b876-457564064ed6
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 02, 2023, 14:20:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

87A5C76C5E4BF86C4FC3A14BC1CE1443

SHA1:

765FC84CF424B6517C8094651FEB58D81440D177

SHA256:

875CBB59805A0925396448AF8D1D059559EF23712EBCF9E2A55166D6ED555B9A

SSDEEP:

3072:79pYomfCrU//B3agC1O+SFia5ODXaUam7GnGYsUGFvU:ZKomf/sggObFiIOLa1mKnGYRYs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 3388)
      • cmd.exe (PID: 3512)
      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 1984)
      • cmd.exe (PID: 3604)
      • cmd.exe (PID: 3340)
      • cmd.exe (PID: 3380)
      • cmd.exe (PID: 2404)
      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 3256)
      • cmd.exe (PID: 2368)
      • cmd.exe (PID: 1376)
      • cmd.exe (PID: 2068)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 1892)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 3056)

    • Drops the executable file immediately after the start

      • svcPrvinit.exe (PID: 2868)

    • Actions looks like stealing of personal data

      • svcPrvinit.exe (PID: 2868)

    • Renames files like ransomware

      • svcPrvinit.exe (PID: 2868)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 2764)

    • Reads the Internet Settings

      • WMIC.exe (PID: 3932)
      • WMIC.exe (PID: 2520)
      • WMIC.exe (PID: 880)
      • WMIC.exe (PID: 3972)
      • WMIC.exe (PID: 4068)
      • WMIC.exe (PID: 2100)
      • WMIC.exe (PID: 3752)
      • WMIC.exe (PID: 3776)
      • WMIC.exe (PID: 3596)
      • WMIC.exe (PID: 4056)
      • WMIC.exe (PID: 824)
      • WMIC.exe (PID: 3460)
      • WMIC.exe (PID: 2056)
      • WMIC.exe (PID: 1816)
      • WMIC.exe (PID: 2904)
      • WMIC.exe (PID: 2392)
      • WMIC.exe (PID: 2744)
      • WMIC.exe (PID: 2176)
      • WMIC.exe (PID: 3104)

    • Starts CMD.EXE for commands execution

      • svcPrvinit.exe (PID: 2868)

    • Write to the desktop.ini file (may be used to cloak folders)

      • svcPrvinit.exe (PID: 2868)

  • INFO

    • Checks supported languages

      • svcPrvinit.exe (PID: 2868)

    • Manual execution by a user

      • svcPrvinit.exe (PID: 2868)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3476)

    • Reads the computer name

      • svcPrvinit.exe (PID: 2868)

    • Reads the machine GUID from the registry

      • svcPrvinit.exe (PID: 2868)

    • Creates files or folders in the user directory

      • svcPrvinit.exe (PID: 2868)

    • Creates files in the program directory

      • svcPrvinit.exe (PID: 2868)

    • Dropped object may contain TOR URL's

      • svcPrvinit.exe (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2023:12:02 14:12:22
ZipCRC: 0x8b6b4ea3
ZipCompressedSize: 104854
ZipUncompressedSize: 251392
ZipFileName: svcPrvinit.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
106
Monitored processes
41
Malicious processes
20
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs svcprvinit.exe vssvc.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{086481BC-F8C2-46F4-8AC4-39E45FDFF513}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
824C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD816E64-954D-42BE-9185-4135B543186B}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
880C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2150407D-40F8-40CF-9BAF-7547594980F5}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1376cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7E0546EB-07EA-48C0-B0D5-6C3695DC9933}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1816C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7E0546EB-07EA-48C0-B0D5-6C3695DC9933}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1892cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{910CFF5C-B16C-4FA9-8646-6FB613F254E4}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1984cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F2005F8-2675-4792-8D48-24D30D4C8680}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2056C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{25D36354-3653-49FC-B6EA-5D1C27AE4CEF}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2068cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0F97434F-CA6C-4D75-8CF8-7A01EA0921A0}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2100C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{99345D7E-5F33-4BBB-BE04-ADE9A0C9D8B5}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
2 546
Read events
2 479
Write events
25
Delete events
42

Modification events

(PID) Process:(3476) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3476) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
9
Suspicious files
1 910
Text files
293
Unknown types
0

Dropped files

PID
Process
Filename
Type
2868svcPrvinit.exeC:\Program Files\desktop.ini.L0CK3Dbinary
MD5:3E1C8178966CA914800E76FFB21493CC
SHA256:B4D5AFBDE76C40982C2E2054C6EB7C09FA54B2691837A4562407FDD8031C2FF5
2868svcPrvinit.exeC:\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\Program Files\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\ProgramData\ntuser.polbinary
MD5:FDCB03ED90C07298C5EAFADC48074663
SHA256:F5C378DBDBC0FE94ED015E34CBC33135C6355DDBE4C25CB1306094F81044357F
2868svcPrvinit.exeC:\ProgramData\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\ProgramData\ntuser.pol.L0CK3Dbinary
MD5:FDCB03ED90C07298C5EAFADC48074663
SHA256:F5C378DBDBC0FE94ED015E34CBC33135C6355DDBE4C25CB1306094F81044357F
2868svcPrvinit.exeC:\Users\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\MSOCache\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
2868svcPrvinit.exeC:\Program Files\desktop.inibinary
MD5:3E1C8178966CA914800E76FFB21493CC
SHA256:B4D5AFBDE76C40982C2E2054C6EB7C09FA54B2691837A4562407FDD8031C2FF5
2868svcPrvinit.exeC:\Recovery\read-me3.txttext
MD5:AAC99E50A0DC6EB731DE28BDA443C5DD
SHA256:FAF077E6172B37A510527C321FF45655DF7BBE03F4040FFCBBDD4F0FED4A9FCE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
265
DNS requests
0
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
192.168.100.181:49211
unknown
192.168.100.181:49212
unknown
2868
svcPrvinit.exe
192.168.1.2:445
unknown
192.168.100.181:49214
unknown
192.168.100.181:49215
unknown
192.168.100.181:49216
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
2868
svcPrvinit.exe
Misc activity
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svcPrvinit.bin.zip