File name:	razspy.exe
Full analysis:	https://app.any.run/tasks/54fb2455-6de1-47f3-a122-c229cc561d95
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 28, 2024, 19:05:58
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader stealer razr ransomware
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	C9122B326A11741382964A64ACBBB43E
SHA1:	216BAC6BEE35CE03407349A23EB6A618BF95082D
SHA256:	AF3B9D5DE82A924B2177D69965DFF7CB98F5ADCA28DD4A50E844D96DADD528D1
SSDEEP:	192:seyxIxJPHkBLpu7qpm7CoIiAc2Dhx16Lo7uj7ID5yJd0/e3Q5tfhNKAkRWN:LhHkpu97CoIiAce1xJm3nG

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:08:28 19:05:46+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	7168
InitializedDataSize:	9216
UninitializedDataSize:	-
EntryPoint:	0x1fb0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line


(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000503A8
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconLayouts
Value: 00000000000000000000000000000000030001000100010013000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000110000000000000063006F006D00700075007400650072006A002E007200740066003E00200020000000130000000000000066006100780069006E0063006C0075006400650073002E006A00700067003E0020002000000014000000000000006600690065006C006400730067006900760069006E0067002E006A00700067003E00200020000000150000000000000066006F006F007400620061006C006C006D006F007600690065002E0070006E0067003E0020002000000011000000000000006700690076006500730061006E0061006C002E006A00700067003E002000200000001600000000000000690072006100710072006500730070006500630074006900760065002E006A00700067003E0020002000000013000000000000007000610079006D0065006E007400610072006D0079002E007200740066003E0020002000000013000000000000007200610074006800650072006C006F0061006E0073002E0070006E0067003E0020002000000014000000000000007300740061006E00640061007200640073006100760065002E007200740066003E002000200000001300000000000000760061006C006C0065007900650061007200740068002E007200740066003E002000200000000E00000000000000720061007A007300700079002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001300000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A0401100000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000001200
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:	write	Name:	IconNameVersion
Value: 1
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:	write	Name:	LastUpdate
Value: 1E75CF6600000000
(PID) Process:	(752) razspy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(752) razspy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(752) razspy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(752) razspy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(752) razspy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(752) razspy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
6328	Razrusheniye.exe	C:\Users\admin\Desktop\desktop.ini.raz		binary
		MD5:F8D5A0DE63BF9CCC3A218049478DC91D	SHA256:FF45848CD8BB80FA246C12BEACF759286CDABD66D69F698CDEBCFD7FF9039BDA
752	razspy.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\razrusheniye[1].exe		executable
		MD5:ABF16B5ADB1FFB819CA4B15EA39A117E	SHA256:03A38EC75BD25367B3D9C1F28DA27681DE9FEFD4185CDD6DEB3D777E49AE7882
6328	Razrusheniye.exe	C:\Users\admin\Desktop\givesanal.jpg.raz		binary
		MD5:7D9F30DB2CC89CAB3D16CBAD50646B2F	SHA256:1EDD187C393549ECF22ACD37D0195A8355D90525217C8EB07A566E4B42E20344
4552	explorer.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper		image
		MD5:B2EA0F1CC295405A6010FD3584E8F8B2	SHA256:8B0B65C1653587AF34038B002F163C22104AE4239171B3B6C1D75D403EB13953
752	razspy.exe	C:\Users\admin\AppData\Local\Temp\wallpaper.png		image
		MD5:B2EA0F1CC295405A6010FD3584E8F8B2	SHA256:8B0B65C1653587AF34038B002F163C22104AE4239171B3B6C1D75D403EB13953
752	razspy.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\wallpaper[1].png		image
		MD5:B2EA0F1CC295405A6010FD3584E8F8B2	SHA256:8B0B65C1653587AF34038B002F163C22104AE4239171B3B6C1D75D403EB13953
752	razspy.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\razspy[1].htm		text
		MD5:E0AA021E21DDDBD6D8CECEC71E9CF564	SHA256:565339BC4D33D72817B583024112EB7F5CDF3E5EEF0252D6EC1B9C9A94E12BB3
6328	Razrusheniye.exe	C:\Users\admin\Desktop\faxincludes.jpg.raz		binary
		MD5:0F03915CCB498846731BF8E98033E097	SHA256:64E79CBB04006274F8D11B76219A0FB9EE25066239211EF7EA34931B97D77333
6328	Razrusheniye.exe	C:\Users\admin\Desktop\paymentarmy.rtf.raz		binary
		MD5:737BECA58A83E6F747C75ECECBB5FF42	SHA256:5A2D8DAC78B052F9ED8460D6CFA6BD938D024F72F2B66DBBE0273B11F075F884
6328	Razrusheniye.exe	C:\Users\admin\Desktop\fieldsgiving.jpg.raz		binary
		MD5:53C1A876307405AC01290A8D6CA65DC2	SHA256:023CF3C2044234FD97093C8F7415C4DECB7DFC7A19B4572ACDCB39FFAF374D5A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	184.86.251.15:443	https://r.bing.com/rb/19/cir3,ortl,cc,nc/CYGXBN1kkA_ojDY5vKbCoG4Zy0E.css?bu=C6QJlgOrBIAK5QjPCN4GXV1dXQ&or=w	unknown	—	—	—
—	—	GET	200	35.173.69.207:443	https://xam.pythonanywhere.com/c2/razspy	unknown	text	2 b	—
—	—	POST	204	184.86.251.30:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	POST	204	184.86.251.26:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	GET	200	35.173.69.207:443	https://xam.pythonanywhere.com/download/wallpaper.png	unknown	image	72.6 Kb	—
—	—	GET	200	184.86.251.25:443	https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&pastMomentsInDays=6&cc=US&setlang=en-us&clientDateTime=8%2F28%2F2024%2C%207%3A06%3A41%20PM	unknown	text	150 Kb	—
—	—	POST	204	184.86.251.9:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	GET	200	184.86.251.27:443	https://r.bing.com/rb/16/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe37EAccBMbcBMcoB&or=w	unknown	text	21.4 Kb	—
—	—	GET	200	184.86.251.4:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.36 Kb	—
—	—	GET	200	184.86.251.5:443	https://r.bing.com/rb/4N/jnc,nj/Btu7tBP0vQIHDIMxag4vCxAtQuY.js?bu=FrYs9ir8AYcriyuNK48rtCu9LIMs_BGfLKUswSz8AfwBpSjmK_oR8RH6K-sr&or=w	unknown	text	57.7 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
4316	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
6012	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
752	razspy.exe	35.173.69.207:443	xam.pythonanywhere.com	AMAZON-AES	US	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6328	Razrusheniye.exe	35.173.69.207:443	xam.pythonanywhere.com	AMAZON-AES	US	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6628	SearchApp.exe	2.23.209.167:443	r.bing.com	Akamai International B.V.	GB	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
xam.pythonanywhere.com	35.173.69.207	whitelisted
r.bing.com	2.23.209.167 2.23.209.166 2.23.209.162 2.23.209.176 2.23.209.187 2.23.209.177 2.23.209.185 2.23.209.160 2.23.209.168	whitelisted
www.bing.com	2.23.209.168 2.23.209.167 2.23.209.166 2.23.209.162 2.23.209.176 2.23.209.187 2.23.209.177 2.23.209.185 2.23.209.160	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET INFO Observed HTTP Request to *.pythonanywhere .com Domain
—	—	Misc activity	ET INFO Observed HTTP Request to *.pythonanywhere .com Domain
—	—	Misc activity	ET INFO Observed HTTP Request to *.pythonanywhere .com Domain
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Misc activity	ET INFO Observed HTTP Request to *.pythonanywhere .com Domain
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
—	—	Misc activity	ET INFO EXE - Served Attached HTTP
—	—	A Network Trojan was detected	ET MALWARE Possible RAZR Ransomware User-Agent Observed
—	—	Potentially Bad Traffic	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

General Info

razspy.exe

C9122B326A11741382964A64ACBBB43E

216BAC6BEE35CE03407349A23EB6A618BF95082D

AF3B9D5DE82A924B2177D69965DFF7CB98F5ADCA28DD4A50E844D96DADD528D1

192:seyxIxJPHkBLpu7qpm7CoIiAc2Dhx16Lo7uj7ID5yJd0/e3Q5tfhNKAkRWN:LhHkpu97CoIiAce1xJm3nG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Using BCDEDIT.EXE to modify recovery options

Deletes shadow copies

Application was injected by another process

Runs injected code in another process

Modifies files in the Chrome extension folder

RAZR has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Drops the executable file immediately after the start

Reads the date of Windows installation

Executes application which crashes

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Checks Windows Trust Settings

Executes as Windows Service

INFO

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Manual execution by a user

Create files in a temporary directory

Process checks computer location settings

Reads the computer name

Checks supported languages

Process checks Internet Explorer phishing filters

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings