analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6777.rar

Full analysis: https://app.any.run/tasks/22dfe50d-78b4-49cb-a353-a7c26c5120b6
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 16:16:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

DD9CC1E62FA2F76FDEBEE88E0514D630

SHA1:

E821CA946802E1BFF3A55C56E4A16F60A140C863

SHA256:

88C811F2827F9A4BF284D812295555A0453C1C48C6B722D3D7D279D859E9BAE0

SSDEEP:

1536:UtnXjgvGF8ROcSF1kirizmWa3/1f07tChSsWkj1xM3fGVKSOwefO5Z:QTgf6OzmWa3/1fK0YsWkj03fGVmsZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 6777.exe (PID: 916)
      • 3444.exe (PID: 2580)
      • 3444.exe (PID: 664)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3840)

    • Writes file to Word startup folder

      • 3444.exe (PID: 664)

    • Writes to a start menu file

      • 3444.exe (PID: 664)

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 3056)

    • Actions looks like stealing of personal data

      • 3444.exe (PID: 664)

    • Modifies files in Chrome extension folder

      • 3444.exe (PID: 664)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 6777.exe (PID: 916)
      • Setup.exe (PID: 3056)

    • Application launched itself

      • 3444.exe (PID: 2580)

    • Starts CMD.EXE for commands execution

      • 6777.exe (PID: 916)

    • Starts CMD.EXE for self-deleting

      • 6777.exe (PID: 916)

    • Reads the cookies of Google Chrome

      • 3444.exe (PID: 664)

    • Creates files like Ransomware instruction

      • 3444.exe (PID: 664)

    • Executed via COM

      • Setup.exe (PID: 3056)

    • Searches for installed software

      • Setup.exe (PID: 3056)

    • Creates files in the program directory

      • 3444.exe (PID: 664)

    • Creates files in the user directory

      • 3444.exe (PID: 664)

  • INFO

    • Manual execution by user

      • 6777.exe (PID: 916)
      • NOTEPAD.EXE (PID: 1692)
      • WINWORD.EXE (PID: 3776)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3776)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
10
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs 6777.exe 3444.exe 3444.exe cmd.exe no specs ping.exe no specs ping.exe no specs notepad.exe no specs winword.exe no specs setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2864"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6777.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
916"C:\Users\admin\Desktop\6777.exe" C:\Users\admin\Desktop\6777.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
2580"C:\Users\admin\Desktop\3444.exe" C:\Users\admin\Desktop\3444.exe
6777.exe
User:
admin
Company:
a7R9J
Integrity Level:
HIGH
Description:
Gd5j6F
Exit code:
0
Version:
3.4.3.47
664C:\Users\admin\Desktop\3444.exeC:\Users\admin\Desktop\3444.exe
3444.exe
User:
admin
Company:
a7R9J
Integrity Level:
HIGH
Description:
Gd5j6F
Version:
3.4.3.47
3840"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\admin\Desktop\6777.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\admin\Desktop\6777.exe"C:\Windows\System32\cmd.exe6777.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3696ping 1.1.1.1 -n 1 -w 100 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1196ping 1.1.1.1 -n 1 -w 900 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1692"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Recover my files, please.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3776"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\6E69636563616E616461.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3056"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Setup Bootstrapper
Version:
14.0.6010.1000
Total events
3 095
Read events
2 743
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2 250
Text files
1 245
Unknown types
44

Dropped files

PID
Process
Filename
Type
2864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2864.29541\6777.exe
MD5:
SHA256:
6643444.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\49636F6E43616368655264723635353336.datbinary
MD5:815360061843E654B1F0D21022408FD3
SHA256:BEA21059FB324E43EEAB4DB5020C8518F39E531B762E09F2EA1FB5A5C1146AC0
6643444.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\646174615F33binary
MD5:542D5D0447FD415A82BB2875D6007068
SHA256:1F36D91AA537E7E490F21D86E39CAC26BE767A51C99C23BD56B28BE650D2DB09
6643444.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\646174615F32binary
MD5:FBC5AE4D7A4A5A49ED698AA12AC39249
SHA256:0825CBB88497D9BF9C8655EB291CB799BB50FDFCFE6EC427AE151D69887AE9B3
6643444.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\646174615F31binary
MD5:BBEC65D9CBA40C66D15F3C3648AA59E6
SHA256:5650EA3258B4FC7E8EA56D4E948E03FA2973B0E424A9E1479787285C37E11390
9166777.exeC:\Users\admin\Desktop\3444.exeexecutable
MD5:1FCD60EA4C4A9AB3114595E0516EB87F
SHA256:92E95B6A71861F25EB41CF2FB8691D6184FCD28C232AE9A1A85B86FCE73A7240
6643444.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\646174615F30binary
MD5:AFC9F7B867F90C8ACD60AC653BDC16D3
SHA256:C25C0B7AA656A3B0698F2EDF0E74292F6DC061EECC9A6F4C00BC49495175586A
6643444.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\557365724361636865.binbinary
MD5:38B219D1723E5D7C0AEE7CBA4EDF6E6A
SHA256:DB53A652C45801B40710369E58FF91647D46B7DCB172C3AAD326552A0DE58A56
6643444.exeC:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\696E646578binary
MD5:AF04D2E8572B853E7F083519C35D0E1C
SHA256:6C66EEFCADA5C842C00B3A48A22963D2536CC6AEA544A539A1E66613D19C6ED7
6643444.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\536861726564446174614576656E7473binary
MD5:9583FA2F80F03F7FB40AAAAE1421E801
SHA256:2C668834632BC3BA1A320F4566D5D85E37FC08F2C822CBF1E35A353373A86A54
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6777.rar