analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1 (1).7z

Full analysis: https://app.any.run/tasks/bc50fce5-8e25-4de8-9085-eb95cb934e85
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 10:13:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
covid19
stealer
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

B5155AA00F048CE8F23C68C26BB388A5

SHA1:

BF843F1C65171EE6E0346231E2BF20A7258AEF11

SHA256:

B9BD137536D2B63C29ADF0A563488450B4E94E31318BB4A0FEBBD484A9FF88D1

SSDEEP:

12288:G4ozeDzvBrdnGQf4olOp1G/+ekLsUtIgtVyR/:GifBrdGClOm/+eanI2Vs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 1.exe (PID: 2168)
      • 1.exe (PID: 2604)

    • Deletes shadow copies

      • 1.exe (PID: 2604)

    • Changes the autorun value in the registry

      • 1.exe (PID: 2604)

    • Starts BCDEDIT.EXE to disable recovery

      • 1.exe (PID: 2604)

    • Tries to delete the host file

      • 1.exe (PID: 2604)

    • Stealing of credential data

      • 1.exe (PID: 2604)

    • Actions looks like stealing of personal data

      • 1.exe (PID: 2604)

  • SUSPICIOUS

    • Creates files like Ransomware instruction

      • 1.exe (PID: 2168)

    • Application launched itself

      • 1.exe (PID: 2168)

    • Creates files in the user directory

      • 1.exe (PID: 2168)
      • 1.exe (PID: 2604)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2160)

    • Creates files in the program directory

      • 1.exe (PID: 2604)

    • Reads the cookies of Google Chrome

      • 1.exe (PID: 2604)

    • Starts CMD.EXE for commands execution

      • 1.exe (PID: 2604)

    • Removes files from Windows directory

      • 1.exe (PID: 2604)

    • Creates files in the driver directory

      • 1.exe (PID: 2604)

    • Creates files in the Windows directory

      • 1.exe (PID: 2604)

  • INFO

    • Manual execution by user

      • 1.exe (PID: 2168)

    • Drops Coronavirus (possible) decoy

      • 1.exe (PID: 2604)

    • Reads the hosts file

      • 1.exe (PID: 2604)

    • Dropped object may contain Bitcoin addresses

      • 1.exe (PID: 2604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
21
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 1.exe no specs 1.exe vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs vssadmin.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wmic.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2160"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\1 (1).7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2168"C:\Users\admin\Desktop\1.exe" C:\Users\admin\Desktop\1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2604"C:\Users\admin\Desktop\1.exe" C:\Users\admin\Desktop\1.exe
1.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2572vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MBC:\Windows\system32\vssadmin.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2296vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unboundedC:\Windows\system32\vssadmin.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1436vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MBC:\Windows\system32\vssadmin.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2496vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unboundedC:\Windows\system32\vssadmin.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3708vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MBC:\Windows\system32\vssadmin.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
964vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unboundedC:\Windows\system32\vssadmin.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4020vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MBC:\Windows\system32\vssadmin.exe1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
741
Read events
706
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1 082
Text files
9
Unknown types
36

Dropped files

PID
Process
Filename
Type
26041.exeC:\Program Files\FileZilla FTP Client\NEWS.corona-lockbinary
MD5:0754DEF3DDB26994935EA418E67B2D9E
SHA256:575EFEF11FBFD907D69086D6095E77E4627D426CE3F733481921DCC4C71E3B20
2688wbadmin.exeC:\Windows\Logs\WindowsBackup\Wbadmin.1.etletl
MD5:DBDFCE7DA78D2959380D473A8EA1C62E
SHA256:D6D6349F53BC44DA87D5D83BF6B49CB73C6FD199746D64F3ABB910EA2F0470E2
21681.exeC:\Users\admin\AppData\Roaming\KEY.FILEbinary
MD5:C3B0B7B44C6FA9D636C5329711466930
SHA256:2CF8D3E1C95C94BA5C306104BC78FAAA191010E2E994304D7025421A30AFBDAB
26041.exeC:\Program Files\Notepad++\LICENSE.corona-lockbs
MD5:1C0120B4BE2A9AEFD44D0A2CC87EC777
SHA256:05CA9039636EB9D49B44077DCD32D0FA79004DC1AA72A1C8D148819843EA99D5
26041.exeC:\Program Files\Mozilla Firefox\precomplete.corona-lockbinary
MD5:7425DD49017DC4C9352670D51441F363
SHA256:C58B2FF622409DFD3A820E59B97F7EFD7C443CFACB4FF9C5C6CADABD27E24F00
26041.exeC:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.corona-lockbinary
MD5:C98C4E005068C6F9C618ED4B9FF53DA5
SHA256:96754C5B0687B9754501977702379AA16E3544B4C523F0F2D45D35BAD470A9AF
21681.exeC:\Users\admin\Desktop\README_LOCK.TXTtext
MD5:BEED76FC85A2C39FF192D44F2A0462E1
SHA256:306CE6286983A4658B2F27EEBFAE8E515C5AC1A4EB42A389782382A00F3211ED
26041.exeC:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.corona-lockbinary
MD5:AD92A644CEE7429BDA5088D4663F87C7
SHA256:865B4AB0AE0098C14113B8E260F59A66FC9888E9695C54A82DC10B166FF33364
26041.exeC:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.corona-lockbinary
MD5:BFB0A61C2D131465B78FCF3AC503925C
SHA256:7DF17B0F5FE007EF1616318FFEDCCF0BCED28423F402A852CE71D75EFEB9F581
26041.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.corona-lock
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1 (1).7z