File name:

DHL Ritardato.zip

Full analysis: https://app.any.run/tasks/2f1c37b5-36cc-468c-b401-e0b6dcda9885
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: June 19, 2019, 15:51:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
sodinokibi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

53858C1D399AA8781FFDA7D0E0E53596

SHA1:

8801F7328B78BEA59A179D6325A8CF47974DD697

SHA256:

9469ECE98462F00EC5FCAF3B6CD54B6D77B6C476EED19CE0DF2516C021377725

SSDEEP:

3072:i3zrxf0jJBPr0tp7cLQyR18x7yXTKXXElxQP9GRWlSt8NWIv/EJW8a1zOi6wq65u:MOD0tiUMdi0lmVGRWhNnv/EqR6WuT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DHL_2019-06-informazioni.pdf.exe (PID: 2564)
      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

    • Dropped file may contain instructions of ransomware

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

    • Renames files like Ransomware

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

    • Changes settings of System certificates

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

    • Deletes shadow copies

      • cmd.exe (PID: 3176)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3176)

    • Sodinokibi keys found

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3932)

    • Application launched itself

      • DHL_2019-06-informazioni.pdf.exe (PID: 2564)

    • Creates files like Ransomware instruction

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

    • Adds / modifies Windows certificates

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

    • Starts CMD.EXE for commands execution

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

    • Executed as Windows Service

      • vssvc.exe (PID: 4024)

    • Creates files in the program directory

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)

  • INFO

    • Manual execution by user

      • DHL_2019-06-informazioni.pdf.exe (PID: 2564)
      • NOTEPAD.EXE (PID: 2104)

    • Dropped object may contain TOR URL's

      • DHL_2019-06-informazioni.pdf.exe (PID: 2428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:06:19 03:19:08
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: DHL Ritardato/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe dhl_2019-06-informazioni.pdf.exe no specs #SODINOKIBI dhl_2019-06-informazioni.pdf.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2104"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\DHL Ritardato\hwnpl8g-readme.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2232bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2356vssadmin.exe Delete Shadows /All /Quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2428"C:\Users\admin\Desktop\DHL Ritardato\DHL_2019-06-informazioni.pdf.exe" C:\Users\admin\Desktop\DHL Ritardato\DHL_2019-06-informazioni.pdf.exe
DHL_2019-06-informazioni.pdf.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\dhl ritardato\dhl_2019-06-informazioni.pdf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2496bcdedit /set {default} recoveryenabled No C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2564"C:\Users\admin\Desktop\DHL Ritardato\DHL_2019-06-informazioni.pdf.exe" C:\Users\admin\Desktop\DHL Ritardato\DHL_2019-06-informazioni.pdf.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\dhl ritardato\dhl_2019-06-informazioni.pdf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3176"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exeDHL_2019-06-informazioni.pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\DHL Ritardato.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4024C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
502
Read events
450
Write events
52
Delete events
0

Modification events

(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3932) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\DHL Ritardato.zip
(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(3932) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
1
Suspicious files
161
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
2428DHL_2019-06-informazioni.pdf.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exec:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.hwnpl8g
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exeC:\users\admin\hwnpl8g-readme.txtbinary
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exeC:\hwnpl8g-readme.txtbinary
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exeC:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\hwnpl8g-readme.txtbinary
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exeC:\users\hwnpl8g-readme.txtbinary
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exeC:\program files\hwnpl8g-readme.txtbinary
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exeC:\recovery\hwnpl8g-readme.txtbinary
MD5:
SHA256:
2428DHL_2019-06-informazioni.pdf.exeC:\users\administrator\hwnpl8g-readme.txtbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
99
DNS requests
75
Threats
14

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2428
DHL_2019-06-informazioni.pdf.exe
46.30.215.176:443
factorywizuk.com
One.com A/S
DK
malicious
2428
DHL_2019-06-informazioni.pdf.exe
45.76.45.105:443
triplettagaite.fr
Choopa, LLC
FR
unknown
145.239.95.118:443
zaczytana.com
OVH SAS
PL
unknown
2428
DHL_2019-06-informazioni.pdf.exe
145.239.95.118:443
zaczytana.com
OVH SAS
PL
unknown
2428
DHL_2019-06-informazioni.pdf.exe
78.47.210.44:443
suitesartemis.gr
Hetzner Online GmbH
DE
malicious
2428
DHL_2019-06-informazioni.pdf.exe
185.154.52.252:443
ya-elka.ru
Servers.com, Inc.
RU
unknown
2428
DHL_2019-06-informazioni.pdf.exe
198.252.101.174:443
khtrx.com
SoftLayer Technologies Inc.
SG
suspicious
176.31.247.6:443
condormobile.fr
OVH SAS
FR
unknown
2428
DHL_2019-06-informazioni.pdf.exe
176.31.247.6:443
condormobile.fr
OVH SAS
FR
unknown
149.210.195.135:443
salonlamar.nl
Transip B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
factorywizuk.com
  • 46.30.215.176
malicious
triplettagaite.fr
  • 45.76.45.105
suspicious
leijstrom.com
shared
zaczytana.com
  • 145.239.95.118
malicious
www.zaczytana.com
  • 145.239.95.118
unknown
suitesartemis.gr
  • 78.47.210.44
suspicious
fanuli.com.au
  • 23.185.0.2
suspicious
ya-elka.ru
  • 185.154.52.252
malicious
khtrx.com
  • 198.252.101.174
malicious
condormobile.fr
  • 176.31.247.6
suspicious

Threats

PID
Process
Class
Message
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
2428
DHL_2019-06-informazioni.pdf.exe
Generic Protocol Command Decode
SURICATA TLS invalid record type
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DHL Ritardato.zip