File name:

svcPrvinit.bin.zip

Full analysis: https://app.any.run/tasks/b8502e05-0bed-4653-807e-4e500e6858ab
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: December 02, 2023, 14:12:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

87A5C76C5E4BF86C4FC3A14BC1CE1443

SHA1:

765FC84CF424B6517C8094651FEB58D81440D177

SHA256:

875CBB59805A0925396448AF8D1D059559EF23712EBCF9E2A55166D6ED555B9A

SSDEEP:

3072:79pYomfCrU//B3agC1O+SFia5ODXaUam7GnGYsUGFvU:ZKomf/sggObFiIOLa1mKnGYRYs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 3632)
      • cmd.exe (PID: 3512)
      • cmd.exe (PID: 4000)
      • cmd.exe (PID: 1064)
      • cmd.exe (PID: 3652)
      • cmd.exe (PID: 1452)
      • cmd.exe (PID: 3260)
      • cmd.exe (PID: 2368)
      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 556)
      • cmd.exe (PID: 528)
      • cmd.exe (PID: 3616)
      • cmd.exe (PID: 3848)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 2504)
      • cmd.exe (PID: 2408)
      • cmd.exe (PID: 2648)
      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 2344)

    • Drops the executable file immediately after the start

      • svcPrvinit.exe (PID: 3636)

    • Actions looks like stealing of personal data

      • svcPrvinit.exe (PID: 3636)

    • Renames files like ransomware

      • svcPrvinit.exe (PID: 3636)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 3296)

    • Starts CMD.EXE for commands execution

      • svcPrvinit.exe (PID: 3636)

    • Reads the Internet Settings

      • WMIC.exe (PID: 3448)
      • WMIC.exe (PID: 4080)
      • WMIC.exe (PID: 4004)
      • WMIC.exe (PID: 3516)
      • WMIC.exe (PID: 2468)
      • WMIC.exe (PID: 3776)
      • WMIC.exe (PID: 4056)
      • WMIC.exe (PID: 3460)
      • WMIC.exe (PID: 2056)
      • WMIC.exe (PID: 3524)
      • WMIC.exe (PID: 3888)
      • WMIC.exe (PID: 3596)
      • WMIC.exe (PID: 3744)
      • WMIC.exe (PID: 1900)
      • WMIC.exe (PID: 3552)
      • WMIC.exe (PID: 1244)
      • WMIC.exe (PID: 4028)
      • WMIC.exe (PID: 272)
      • WMIC.exe (PID: 3152)

    • Write to the desktop.ini file (may be used to cloak folders)

      • svcPrvinit.exe (PID: 3636)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3048)
      • svcPrvinit.exe (PID: 3636)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3048)
      • svcPrvinit.exe (PID: 3636)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3060)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3048)
      • cmd.exe (PID: 3832)
      • explorer.exe (PID: 1656)
      • explorer.exe (PID: 1460)
      • WINWORD.EXE (PID: 3176)

    • Reads the machine GUID from the registry

      • svcPrvinit.exe (PID: 3636)

    • Creates files in the program directory

      • svcPrvinit.exe (PID: 3636)

    • Creates files or folders in the user directory

      • svcPrvinit.exe (PID: 3636)

    • Dropped object may contain TOR URL's

      • svcPrvinit.exe (PID: 3636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2023:12:02 14:12:22
ZipCRC: 0x8b6b4ea3
ZipCompressedSize: 104854
ZipUncompressedSize: 251392
ZipFileName: svcPrvinit.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
46
Malicious processes
21
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wmpnscfg.exe no specs cmd.exe svcprvinit.exe vssvc.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs explorer.exe no specs explorer.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
272C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD816E64-954D-42BE-9185-4135B543186B}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
528cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2BDBA874-FF68-40B9-8873-DED22C2C1972}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
556cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8C005A83-B1E3-4826-B7A5-32A8DBF82851}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1064cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{99345D7E-5F33-4BBB-BE04-ADE9A0C9D8B5}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1244C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0F97434F-CA6C-4D75-8CF8-7A01EA0921A0}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1452cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F2005F8-2675-4792-8D48-24D30D4C8680}'" deleteC:\Windows\System32\cmd.exesvcPrvinit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1460"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1656"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1900C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{910CFF5C-B16C-4FA9-8646-6FB613F254E4}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2056C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93836671-B4C2-4815-A44B-FB3D04AC7343}'" deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
4 521
Read events
4 274
Write events
58
Delete events
189

Modification events

(PID) Process:(3060) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
2
Suspicious files
2 035
Text files
348
Unknown types
0

Dropped files

PID
Process
Filename
Type
3636svcPrvinit.exeC:\MSOCache\read-me3.txttext
MD5:AF09D790240072A3CC973E9C22D5BB18
SHA256:078D30ABDB7755150A8943C0FD777C878F3BC8BD4B2470717E0E6AE7AC0A2566
3636svcPrvinit.exeC:\Program Files\read-me3.txttext
MD5:AF09D790240072A3CC973E9C22D5BB18
SHA256:078D30ABDB7755150A8943C0FD777C878F3BC8BD4B2470717E0E6AE7AC0A2566
3636svcPrvinit.exeC:\Program Files\desktop.ini.L0CK3Dbinary
MD5:D1B40F663C54AAD2FD9718E654157CF8
SHA256:74448E82C524B4EC0D8FE57F66B7096369F0C66D6821812A3DC8E72E58F3BA55
3636svcPrvinit.exeC:\Program Files\desktop.inibinary
MD5:D1B40F663C54AAD2FD9718E654157CF8
SHA256:74448E82C524B4EC0D8FE57F66B7096369F0C66D6821812A3DC8E72E58F3BA55
3636svcPrvinit.exeC:\ProgramData\read-me3.txttext
MD5:AF09D790240072A3CC973E9C22D5BB18
SHA256:078D30ABDB7755150A8943C0FD777C878F3BC8BD4B2470717E0E6AE7AC0A2566
3636svcPrvinit.exeC:\Users\read-me3.txttext
MD5:AF09D790240072A3CC973E9C22D5BB18
SHA256:078D30ABDB7755150A8943C0FD777C878F3BC8BD4B2470717E0E6AE7AC0A2566
3636svcPrvinit.exeC:\ProgramData\ntuser.pol.L0CK3Dbinary
MD5:53E80CE070E73A8320829E842E4DD537
SHA256:725FF0FF7AD186647F76C8D7C04116A9E2AAADB82175A399DC039ED37D238620
3636svcPrvinit.exeC:\Recovery\read-me3.txttext
MD5:AF09D790240072A3CC973E9C22D5BB18
SHA256:078D30ABDB7755150A8943C0FD777C878F3BC8BD4B2470717E0E6AE7AC0A2566
3636svcPrvinit.exeC:\Users\desktop.inibinary
MD5:732BA69ACA82EEECCE6A9364C71DC827
SHA256:265A6A50FEC72834FF893DD51EA1A646FC45BF99A8DF3A4EC02D095564608A2C
3636svcPrvinit.exeC:\Users\desktop.ini.L0CK3Dbinary
MD5:732BA69ACA82EEECCE6A9364C71DC827
SHA256:265A6A50FEC72834FF893DD51EA1A646FC45BF99A8DF3A4EC02D095564608A2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
264
DNS requests
1
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
868
svchost.exe
23.35.228.137:80
armmf.adobe.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
192.168.100.129:49221
unknown
192.168.100.129:49222
unknown
192.168.100.129:49223
unknown
192.168.100.129:49224
unknown
192.168.100.129:49225
unknown
192.168.100.129:49226
unknown
192.168.100.129:49227
unknown

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 23.35.228.137
whitelisted

Threats

PID
Process
Class
Message
3636
svcPrvinit.exe
Misc activity
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svcPrvinit.bin.zip