| File name: | hi.exe |
| Full analysis: | https://app.any.run/tasks/4976f75a-58d7-4848-97c5-f909996d2c43 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | March 19, 2024, 11:49:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | 51579D163D94805EFDA13C54D7184EDC |
| SHA1: | 6C93509C630C87CA91FDA6CA15895E331F0F0B63 |
| SHA256: | 96C57A03D94DC51B855CB72FD3B8950C8220AA82050C2617195399AD9CB1AC59 |
| SSDEEP: | 3072:2ygkM0Me9LQnwIm5eQbXa/rLj9kjddtLwxOMF3WUk4yKeip:geunP//rH9kN4NZ1p |
MALICIOUS
Drops the executable file immediately after the start
- runas.exe (PID: 3992)
- hi.exe (PID: 116)
Renames files like ransomware
- hi.exe (PID: 116)
Actions looks like stealing of personal data
- hi.exe (PID: 116)
SUSPICIOUS
Creates file in the systems drive root
- hi.exe (PID: 116)
INFO
Reads the computer name
- hi.exe (PID: 116)
Checks supported languages
- hi.exe (PID: 116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:03:19 11:45:13+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 75264 |
| InitializedDataSize: | 39424 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2e7c |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
41
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | C:\Users\admin\Desktop\hi.exe | C:\Users\admin\Desktop\hi.exe | runas.exe | ||||||||||||
User: Administrator Integrity Level: HIGH Exit code: 3221225786 Modules
| |||||||||||||||
| 3992 | "C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Desktop\hi.exe | C:\Windows\System32\runas.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Run As Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
96
Read events
96
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
819
Text files
12
Unknown types
112
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 116 | hi.exe | C:\autoexec.bat.H | binary | |
MD5:43811B37A5F67931F742A6435B9B9D3C | SHA256:787E50BBC167A1DB26FC3F114ED0087BAE8D9E6142864E9636981C5204328A42 | |||
| 116 | hi.exe | C:\Users\admin\ntuser.ini.H | text | |
MD5:D9F90CCAC0072B364E204FF629774235 | SHA256:55FBA4AD3D15FF5623F60E99D915004E0E943DC1F71E6D0085F7B6B3CDD23754 | |||
| 116 | hi.exe | C:\Users\Administrator\ntuser.ini | text | |
MD5:BE32CB926F724A87919788D6CFA72196 | SHA256:DEE5EF75A73AF608BC3ACB4009A8AB28E8180F06054E158B8140E449566FF8CB | |||
| 116 | hi.exe | C:\Users\admin\ntuser.ini | text | |
MD5:D9F90CCAC0072B364E204FF629774235 | SHA256:55FBA4AD3D15FF5623F60E99D915004E0E943DC1F71E6D0085F7B6B3CDD23754 | |||
| 116 | hi.exe | C:\autoexec.bat | binary | |
MD5:43811B37A5F67931F742A6435B9B9D3C | SHA256:787E50BBC167A1DB26FC3F114ED0087BAE8D9E6142864E9636981C5204328A42 | |||
| 116 | hi.exe | C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf | binary | |
MD5:57DAED4C1C6CA50AC826F50F6A1EE036 | SHA256:1D581C37982BF11327E4F87B7F70B4ABDED0DE2817C0201D3F6D35403D827F20 | |||
| 116 | hi.exe | C:\Users\Default\NTUSER.DAT.H | binary | |
MD5:506C1628C2570184F71DB4F95CDDE713 | SHA256:3FE9F4E82F7FF75A9883F071A62D691931A1F48BCBC28C9EA2F175939B104B3B | |||
| 116 | hi.exe | C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms | binary | |
MD5:8B04729439B6636C01BC7AF5B42585A1 | SHA256:5A0A7A773479DE03E9A79C5E888C09BA9CD59680C23C74E7F710BA89768218FD | |||
| 116 | hi.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | binary | |
MD5:BC660694F647C31D14183DE5464D8E18 | SHA256:DE0DF1DDBEA86D2212B3A8A55E9E048A88B6E070FD726CBE0870C5CC3F0C17FD | |||
| 116 | hi.exe | C:\Users\Default\NTUSER.DAT.LOG.H | binary | |
MD5:D2FE70AC142067C5BD192C8A133AC51C | SHA256:7BAF99BB2FC70F4E4CB849D71F9C81748837C95FA5917A23EC8B88685C1CBF8F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report