analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b11ab58788529d4c96fbe01980eb76138026275e33914e3c624c1a97bc9eeb23.zip

Full analysis: https://app.any.run/tasks/2a47c341-1164-44b9-91bd-f05c604da3d7
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 07:14:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
sodinokibi
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

37B9FBD21B583909E4343504544AF132

SHA1:

CB942DB24FB2B763CE0285A99CDB0638E05AC464

SHA256:

9501A92B0097577CC88D0A39EFB4D0B1701C8A84755D5988536B680030F55CF0

SSDEEP:

6144:ezmeppvY8Dx4bOFWOvkB27SEUrYvpz8LVvE0YB8U2c93RTk+0czF:KppvY8ubUp7SpERzenYXhz5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 23.exe (PID: 3196)

    • Sodinokibi keys found

      • Regasm.exe (PID: 2100)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3472)

    • Sodinokibi ransom note found

      • Regasm.exe (PID: 2100)

    • Deletes shadow copies

      • cmd.exe (PID: 3472)

    • Renames files like Ransomware

      • Regasm.exe (PID: 2100)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 2696)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 552)

    • Starts CMD.EXE for commands execution

      • Regasm.exe (PID: 2100)

    • Executed as Windows Service

      • vssvc.exe (PID: 2264)

    • Creates files like Ransomware instruction

      • Regasm.exe (PID: 2100)

  • INFO

    • Manual execution by user

      • 23.exe (PID: 3196)

    • Dropped object may contain TOR URL's

      • Regasm.exe (PID: 2100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: b11ab58788529d4c96fbe01980eb76138026275e33914e3c624c1a97bc9eeb23.zip
ZipUncompressedSize: 348263
ZipCompressedSize: 348338
ZipCRC: 0x828848d6
ZipModifyDate: 2020:09:30 07:13:27
ZipCompression: Unknown (99)
ZipBitFlag: 0x0003
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe 23.exe no specs #SODINOKIBI regasm.exe cmd.exe vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2696"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\b11ab58788529d4c96fbe01980eb76138026275e33914e3c624c1a97bc9eeb23.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
552"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb2696.41223\b11ab58788529d4c96fbe01980eb76138026275e33914e3c624c1a97bc9eeb23.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3196"C:\Users\admin\Desktop\23.exe" C:\Users\admin\Desktop\23.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
2100"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe
23.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.7.3062.0 built by: NET472REL1
3472"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exe
Regasm.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
996vssadmin.exe Delete Shadows /All /Quiet C:\Windows\system32\vssadmin.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2264C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2104bcdedit /set {default} recoveryenabled No C:\Windows\system32\bcdedit.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2716bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 019
Read events
950
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
98
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2100Regasm.exeC:\Users\admin\.oracle_jre_usage\f444e61nt-readme.txtbinary
MD5:4E4BB5DE7BFC24B8D52AD95BCBFDE6E5
SHA256:B99F12846A21B95EA10B59DB9F9CF04BCBACF45C2AA69F8CF9D8884E8FDAACC9
2100Regasm.exeC:\Users\admin\f444e61nt-readme.txtbinary
MD5:4E4BB5DE7BFC24B8D52AD95BCBFDE6E5
SHA256:B99F12846A21B95EA10B59DB9F9CF04BCBACF45C2AA69F8CF9D8884E8FDAACC9
2100Regasm.exeC:\Users\admin\Downloads\f444e61nt-readme.txtbinary
MD5:4E4BB5DE7BFC24B8D52AD95BCBFDE6E5
SHA256:B99F12846A21B95EA10B59DB9F9CF04BCBACF45C2AA69F8CF9D8884E8FDAACC9
2100Regasm.exeC:\Users\Public\Documents\f444e61nt-readme.txtbinary
MD5:4E4BB5DE7BFC24B8D52AD95BCBFDE6E5
SHA256:B99F12846A21B95EA10B59DB9F9CF04BCBACF45C2AA69F8CF9D8884E8FDAACC9
2100Regasm.exeC:\Users\admin\Favorites\f444e61nt-readme.txtbinary
MD5:4E4BB5DE7BFC24B8D52AD95BCBFDE6E5
SHA256:B99F12846A21B95EA10B59DB9F9CF04BCBACF45C2AA69F8CF9D8884E8FDAACC9
2100Regasm.exeC:\Users\admin\Desktop\f444e61nt-readme.txtbinary
MD5:4E4BB5DE7BFC24B8D52AD95BCBFDE6E5
SHA256:B99F12846A21B95EA10B59DB9F9CF04BCBACF45C2AA69F8CF9D8884E8FDAACC9
2100Regasm.exeC:\Users\admin\Pictures\f444e61nt-readme.txtbinary
MD5:4E4BB5DE7BFC24B8D52AD95BCBFDE6E5
SHA256:B99F12846A21B95EA10B59DB9F9CF04BCBACF45C2AA69F8CF9D8884E8FDAACC9
2100Regasm.exeC:\Users\admin\Searches\f444e61nt-readme.txtbinary
MD5:4E4BB5DE7BFC24B8D52AD95BCBFDE6E5
SHA256:B99F12846A21B95EA10B59DB9F9CF04BCBACF45C2AA69F8CF9D8884E8FDAACC9
2696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2696.41223\b11ab58788529d4c96fbe01980eb76138026275e33914e3c624c1a97bc9eeb23.zipcompressed
MD5:419E14F0E9A41A69A975C89D60FDA331
SHA256:B11AB58788529D4C96FBE01980EB76138026275E33914E3C624C1A97BC9EEB23
2100Regasm.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
43
DNS requests
28
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2100
Regasm.exe
35.228.55.150:443
thestudio.academy
US
suspicious
2100
Regasm.exe
192.99.236.66:443
breathebettertolivebetter.com
OVH SAS
CA
suspicious
2100
Regasm.exe
91.195.240.13:443
janasfokus.com
SEDO GmbH
DE
malicious
94.231.107.137:443
trivselsguide.dk
Zitcom A/S
DK
suspicious
2100
Regasm.exe
107.191.63.1:443
pajagus.fr
Choopa, LLC
FR
suspicious
2100
Regasm.exe
209.59.176.87:443
scietech.academy
Liquid Web, L.L.C
US
suspicious
2100
Regasm.exe
74.208.236.75:443
nexstagefinancial.com
1&1 Internet SE
US
malicious
80.240.20.142:443
mangimirossana.it
Cosmoline Telecommunication Services S.A.
GR
suspicious
2100
Regasm.exe
35.225.43.3:443
paradigmlandscape.com
US
suspicious
2100
Regasm.exe
87.230.106.31:443
cp-bap.de
PlusServer GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
breathebettertolivebetter.com
  • 192.99.236.66
suspicious
scietech.academy
  • 209.59.176.87
malicious
janasfokus.com
  • 91.195.240.13
malicious
thestudio.academy
  • 35.228.55.150
suspicious
pajagus.fr
  • 107.191.63.1
suspicious
trivselsguide.dk
  • 94.231.107.137
suspicious
mangimirossana.it
  • 80.240.20.142
suspicious
kiraribeaute-nani.com
malicious
nexstagefinancial.com
  • 74.208.236.75
malicious
paradigmlandscape.com
  • 35.225.43.3
malicious

Threats

PID
Process
Class
Message
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2100
Regasm.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b11ab58788529d4c96fbe01980eb76138026275e33914e3c624c1a97bc9eeb23.zip