analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

vvv.exe

Full analysis: https://app.any.run/tasks/2159dde8-2ce7-4790-8e8a-d6e6deeea432
Verdict: Malicious activity
Threats:

Nemty is ransomware with an unusually complex encryption algorithm. This malware encrypts user files and demands money so that they can be unlocked again. It may be connected to other famous ransomware, but we don’t know for sure.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 08:30:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
ransomware
nemty
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3E6672A68447E4E7C297E4DD7171B906

SHA1:

72A1AF262187AC809A3C6395E5F3F3F5804E51E3

SHA256:

98F260B52586EDD447EAAB38F113FC98B9FF6014E291C59C9CD639DF48556E12

SSDEEP:

3072:ksmXOzmGeqemo4K/eGemvUu7i35UUuEx3E13ZLjfWvM5ANom/OU1gidk3sspswF+:oGeJ3eGVOSUuEx3ExlA3/2L3hTFzgPf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NEMTY was detected

      • vvv.exe (PID: 2092)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2076)
      • cmd.exe (PID: 3836)
      • cmd.exe (PID: 2760)
      • cmd.exe (PID: 2896)
      • cmd.exe (PID: 1316)
      • cmd.exe (PID: 3016)
      • cmd.exe (PID: 3804)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 3920)
      • cmd.exe (PID: 3456)
      • cmd.exe (PID: 320)
      • cmd.exe (PID: 3924)
      • cmd.exe (PID: 1608)
      • cmd.exe (PID: 3596)

    • Deletes shadow copies

      • cmd.exe (PID: 2384)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3288)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 1896)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2384)

  • SUSPICIOUS

    • Checks for external IP

      • vvv.exe (PID: 2092)

    • Starts CMD.EXE for commands execution

      • vvv.exe (PID: 2092)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2708)
      • cmd.exe (PID: 1772)
      • cmd.exe (PID: 3624)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 1160)

    • Creates files in the user directory

      • vvv.exe (PID: 2092)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3928)
      • cmd.exe (PID: 2168)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 3916)

    • Executable content was dropped or overwritten

      • vvv.exe (PID: 2092)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:04 09:56:21+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 32768
InitializedDataSize: 57344
UninitializedDataSize: -
EntryPoint: 0x3203
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-Oct-2019 07:56:21
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 04-Oct-2019 07:56:21
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00007E21
0x00008000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60889
.rdata
0x00009000
0x00000E74
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.02637
.data
0x0000A000
0x0000ABF4
0x0000A000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.38145
.rsrc
0x00015000
0x00001058
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.03368

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.29035
600
UNKNOWN
English - United States
RT_STRING
2
2.81454
296
UNKNOWN
English - United States
RT_ICON
101
3.16596
208
UNKNOWN
English - United States
RT_DIALOG
102
2.91735
496
UNKNOWN
English - United States
RT_DIALOG
103
3.39355
418
UNKNOWN
English - United States
RT_DIALOG
104
2.82236
402
UNKNOWN
English - United States
RT_DIALOG
105
3.25031
418
UNKNOWN
English - United States
RT_DIALOG
106
2.37086
34
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
comdlg32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
69
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NEMTY vvv.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net1.exe no specs net.exe no specs cmd.exe no specs net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs schtasks.exe no specs net1.exe no specs vssadmin.exe no specs net1.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2092"C:\Users\admin\AppData\Local\Temp\vvv.exe" C:\Users\admin\AppData\Local\Temp\vvv.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2708"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.exeC:\Windows\System32\cmd.exevvv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3928"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exeC:\Windows\System32\cmd.exevvv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1772"C:\Windows\System32\cmd.exe" /c taskkill /f /im wordpad.exeC:\Windows\System32\cmd.exevvv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2232taskkill /f /im sql.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2168"C:\Windows\System32\cmd.exe" /c taskkill /f /im outlook.exeC:\Windows\System32\cmd.exevvv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3624"C:\Windows\System32\cmd.exe" /c taskkill /f /im thunderbird.exeC:\Windows\System32\cmd.exevvv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3816taskkill /f /im winword.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1952"C:\Windows\System32\cmd.exe" /c taskkill /f /im oracle.exeC:\Windows\System32\cmd.exevvv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1816taskkill /f /im wordpad.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
373
Read events
352
Write events
21
Delete events
0

Modification events

(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2092) vvv.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vvv_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
1
Suspicious files
1
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2092vvv.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@db-ip[1].txttext
MD5:658F86ECC270242EE43B1083AA33E124
SHA256:2F121BD409C18FB7EAB406A1BB63F8B265E6641A3E96DDC809CF57121B6AD26B
2092vvv.exeC:\Users\admin\AdobeUpdate.exeexecutable
MD5:3E6672A68447E4E7C297E4DD7171B906
SHA256:98F260B52586EDD447EAAB38F113FC98B9FF6014E291C59C9CD639DF48556E12
2092vvv.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\650860e5119ec19a8de142e32f03c712_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:9A2AD7B106723A4F7E37BCBB04082FAF
SHA256:CFCF0B58EBF69E33D7D30CCCF74F6FD904A98FBE0C32E10EF4460A361FC9CF67
2092vvv.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\94a9cdfb09e37d01f75d09c2c4488906_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:97C362A61335369B0D97285F02B5FB14
SHA256:0A436FBF360CEFFF51302411AC48951078E5D1A84E425965E36B7E881AFA1BCC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2092
vvv.exe
GET
200
104.25.2.33:80
http://api.db-ip.com/v2/free/37.48.118.41/countryName
US
text
11 b
shared
2092
vvv.exe
GET
200
23.23.243.154:80
http://api.ipify.org/
US
text
12 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2092
vvv.exe
23.23.243.154:80
api.ipify.org
Amazon.com, Inc.
US
malicious
2092
vvv.exe
104.25.3.33:80
api.db-ip.com
Cloudflare Inc
US
shared
2092
vvv.exe
104.25.2.33:80
api.db-ip.com
Cloudflare Inc
US
shared
2092
vvv.exe
45.132.19.146:443
nemty.hk
unknown

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 23.23.243.154
  • 50.19.218.16
  • 107.22.193.167
  • 54.235.187.248
  • 54.243.147.226
  • 54.225.92.64
  • 23.23.73.124
  • 23.23.229.94
shared
api.db-ip.com
  • 104.25.3.33
  • 104.25.2.33
shared
nemty.hk
  • 45.132.19.146
  • 194.67.196.189
  • 82.146.39.206
unknown

Threats

PID
Process
Class
Message
2092
vvv.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2092
vvv.exe
A Network Trojan was detected
ET TROJAN Win32/Nemty Ransomware Style Geo IP Check M2
2092
vvv.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (Chrome)
2092
vvv.exe
A Network Trojan was detected
ET TROJAN Win32/Nemty Ransomware Style Geo IP Check M1
2092
vvv.exe
Potential Corporate Privacy Violation
ET POLICY External Geo IP Lookup (api .db-ip .com)
2092
vvv.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (Chrome)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
vvv.exe